From 141a6f4a6a49d29b9263b4c2f89f2e21a18c1ac7 Mon Sep 17 00:00:00 2001
From: gaelmuller <35897+gaelmuller@users.noreply.github.com>
Date: Thu, 11 Jun 2026 09:14:00 +0000
Subject: [PATCH] Refresh Built-in detection rules documentation

---
 ...f5e-a585fc7c8fc0_do_not_edit_manually.json |    2 +-
 ...55e-d3fd74d86cb4_do_not_edit_manually.json |    2 +-
 ...41e-af269b45bef1_do_not_edit_manually.json |    2 +-
 ...7d1-588319e39d71_do_not_edit_manually.json |    2 +-
 ...5c4-c8174c307e48_do_not_edit_manually.json |    2 +-
 ...b24-902c9daa2d3c_do_not_edit_manually.json |    2 +-
 ...d9d-01ca28882c3f_do_not_edit_manually.json |    2 +-
 ...22d-b86ba3b42a05_do_not_edit_manually.json |    2 +-
 ...06d-f92f3a46bcdd_do_not_edit_manually.json |    2 +-
 ...575-9e43af779f9f_do_not_edit_manually.json |    2 +-
 ...5e2-4597e366b8c4_do_not_edit_manually.json |    2 +-
 ...02e-e88fe2193365_do_not_edit_manually.json |    2 +-
 ...dc1-0242ac120002_do_not_edit_manually.json |    2 +-
 ...803-e7990afe78b6_do_not_edit_manually.json |    2 +-
 ...a76-25529ba11b8b_do_not_edit_manually.json |    2 +-
 ...b17-90c0be6b1f10_do_not_edit_manually.json |    2 +-
 ...9b6-76bf5298a617_do_not_edit_manually.json |    2 +-
 ...fbd-01e3fac01cd5_do_not_edit_manually.json |    2 +-
 ...13a-f8dd48cddc8c_do_not_edit_manually.json |    2 +-
 ...cea-49ae725bb435_do_not_edit_manually.json |    2 +-
 ...46b-974354a107bb_do_not_edit_manually.json |    2 +-
 ...0b5-359bbcb14902_do_not_edit_manually.json |    2 +-
 ...cfd-43f7d9595777_do_not_edit_manually.json |    2 +-
 ...176-f1fa13589eea_do_not_edit_manually.json |    2 +-
 ...d19-67edc91fb063_do_not_edit_manually.json |    2 +-
 ...932-262005a2789c_do_not_edit_manually.json |    2 +-
 ...c1c-46804e636084_do_not_edit_manually.json |    2 +-
 ...499-0e4966d4361c_do_not_edit_manually.json |    2 +-
 ...e06-7b335e439c29_do_not_edit_manually.json |    2 +-
 ...7bc-a6e4a9efd98a_do_not_edit_manually.json |    2 +-
 ...030-e9b92168bbf4_do_not_edit_manually.json |    2 +-
 ...916-636c27ba4931_do_not_edit_manually.json |    2 +-
 ...b02-e72f870fcbd1_do_not_edit_manually.json |    2 +-
 ...58e-81b9418e6584_do_not_edit_manually.json |    2 +-
 ...901-b7fadfb0ba48_do_not_edit_manually.json |    2 +-
 ...038-3f7d5a3b8b11_do_not_edit_manually.json |    2 +-
 ...976-250cba2eaf5b_do_not_edit_manually.json |    2 +-
 ...00a-2b58303cac90_do_not_edit_manually.json |    2 +-
 ...fbd-7fd0eccf1d59_do_not_edit_manually.json |    2 +-
 ...320-33a96077fead_do_not_edit_manually.json |    2 +-
 ...e47-1574946412b6_do_not_edit_manually.json |    2 +-
 ...909-b69f3df32535_do_not_edit_manually.json |    2 +-
 ...27a-d619f2bb584a_do_not_edit_manually.json |    2 +-
 ...750-5db882ea1266_do_not_edit_manually.json |    2 +-
 ...87f-48a3dc07d4d3_do_not_edit_manually.json |    2 +-
 ...833-e971451b2979_do_not_edit_manually.json |    2 +-
 ...e19-e38e167432a1_do_not_edit_manually.json |    2 +-
 ...6b5-c43791eed1bc_do_not_edit_manually.json |    2 +-
 ...033-6f1f887a70f2_do_not_edit_manually.json |    2 +-
 ...597-d2944a601930_do_not_edit_manually.json |    2 +-
 ...6bd-91a447bb26bd_do_not_edit_manually.json |    2 +-
 ...846-6f2a794583e1_do_not_edit_manually.json |    2 +-
 ...f3b-f73a622c9687_do_not_edit_manually.json |    2 +-
 ...c99-5c2de7e1d340_do_not_edit_manually.json |    2 +-
 ...4fa-28d6c1f2e2a8_do_not_edit_manually.json |    2 +-
 ...d69-684a0b3835fc_do_not_edit_manually.json |    2 +-
 ...d60-8fd5e39140b3_do_not_edit_manually.json |    2 +-
 ...1d4-a1f96be1519b_do_not_edit_manually.json |    2 +-
 ...4e0-4f0c0f9138b8_do_not_edit_manually.json |    2 +-
 ...109-c6d85b91bbcf_do_not_edit_manually.json |    2 +-
 ...703-7452882e70da_do_not_edit_manually.json |    2 +-
 ...2ff-0e1cde564161_do_not_edit_manually.json |    2 +-
 ...630-da4fcdb8d5f1_do_not_edit_manually.json |    2 +-
 ...f81-30df7b1963a0_do_not_edit_manually.json |    2 +-
 ...e09-44d31626b694_do_not_edit_manually.json |    2 +-
 ...bb5-46e126c6a05d_do_not_edit_manually.json |    2 +-
 ...876-85102b18d832_do_not_edit_manually.json |    2 +-
 ...9db-68e8dc053b6b_do_not_edit_manually.json |    2 +-
 ...ccd-50e7c286e7af_do_not_edit_manually.json |    2 +-
 ...e5e-5c712b37248e_do_not_edit_manually.json |    2 +-
 ...515-75261514f861_do_not_edit_manually.json |    2 +-
 ...a4c-58a7893f93bb_do_not_edit_manually.json |    2 +-
 ...22a-4c7a547c31d6_do_not_edit_manually.json |    2 +-
 ...6cc-0ca31abd5d24_do_not_edit_manually.json |    2 +-
 ...85b-c9be72035ac4_do_not_edit_manually.json |    2 +-
 ...508-c4c5587146d6_do_not_edit_manually.json |    2 +-
 ...28f-3ee3cd5b9a8e_do_not_edit_manually.json |    2 +-
 ...47b-ef64dd87c981_do_not_edit_manually.json |    2 +-
 ...9a2-fd8ffbcdff50_do_not_edit_manually.json |    2 +-
 ...861-0253b15de650_do_not_edit_manually.json |    2 +-
 ...746-b2b9f366e34b_do_not_edit_manually.json |    2 +-
 ...780-b225c59e9f99_do_not_edit_manually.json |    2 +-
 ...d9a-cb657e29b929_do_not_edit_manually.json |    2 +-
 ...1f3-49e3993c16f5_do_not_edit_manually.json |    2 +-
 ...546-98539fc07725_do_not_edit_manually.json |    2 +-
 ...932-929fe619f6ea_do_not_edit_manually.json |    2 +-
 ...3ea-b9be92914fa2_do_not_edit_manually.json |    2 +-
 ...c61-6794fd44d9a8_do_not_edit_manually.json |    2 +-
 ...6db-90fcdd7236f1_do_not_edit_manually.json |    2 +-
 ...f2d-eed5013fe463_do_not_edit_manually.json |    2 +-
 ...4cf-3e64787c1c39_do_not_edit_manually.json |    2 +-
 ...b05-7776bd6d0eed_do_not_edit_manually.json |    2 +-
 ...124-fa4ab0b9d889_do_not_edit_manually.json |    2 +-
 ...60f-2d3fd0b46987_do_not_edit_manually.json |    2 +-
 ...c15-3828627ba899_do_not_edit_manually.json |    2 +-
 ...7a6-d575ffcb29f7_do_not_edit_manually.json |    2 +-
 ...5de-5c2722fa020e_do_not_edit_manually.json |    2 +-
 ...96b-a9a769bff683_do_not_edit_manually.json |    2 +-
 ...a62-49fa5f2c9206_do_not_edit_manually.json |    2 +-
 ...d8b-08d6315e1ef6_do_not_edit_manually.json |    2 +-
 ...d50-84ec4a9cef65_do_not_edit_manually.json |    2 +-
 ...893-a48b6903d871_do_not_edit_manually.json |    2 +-
 ...b7f-080c0f33fa75_do_not_edit_manually.json |    2 +-
 ...70f-fd3b54ba1fe4_do_not_edit_manually.json |    2 +-
 ...e15-4b99a12b754c_do_not_edit_manually.json |    2 +-
 ...fb3-f7c543fd84a5_do_not_edit_manually.json |    2 +-
 ...b6d-3f79045f28fa_do_not_edit_manually.json |    2 +-
 ...df0-c9ab2d5c2162_do_not_edit_manually.json |    2 +-
 ...a81-31090d723a60_do_not_edit_manually.json |    2 +-
 ...cef-4d7ddfc91d31_do_not_edit_manually.json |    2 +-
 ...bc9-74be1e0ca1c1_do_not_edit_manually.json |    2 +-
 ...cbb-bc830118c1f9_do_not_edit_manually.json |    2 +-
 ...079-ab35ac6b2ab9_do_not_edit_manually.json |    2 +-
 ...d7f-a0c39a2b2279_do_not_edit_manually.json |    2 +-
 ...398-031afe91faa0_do_not_edit_manually.json |    2 +-
 ...b3d-b7cb7b7db618_do_not_edit_manually.json |    2 +-
 ...079-3dd25d472e0a_do_not_edit_manually.json |    2 +-
 ...456-72fd8a2be5d8_do_not_edit_manually.json |    2 +-
 ...96a-8808b3c6cade_do_not_edit_manually.json |    2 +-
 ...18d-26e1e3b2409c_do_not_edit_manually.json |    2 +-
 ...f1d-772e9a30f0dd_do_not_edit_manually.json |    2 +-
 ...729-8cbc9c65be55_do_not_edit_manually.json |    2 +-
 ...563-db21da09cafd_do_not_edit_manually.json |    2 +-
 ...78a-51d62e84c8df_do_not_edit_manually.json |    2 +-
 ...4db-d6a2300f5580_do_not_edit_manually.json |    2 +-
 ...bcc-45fd108ba1be_do_not_edit_manually.json |    2 +-
 ...38d-e4a1381db8ed_do_not_edit_manually.json |    2 +-
 ...427-621541e881d5_do_not_edit_manually.json |    2 +-
 ...a9b-b07651f0630e_do_not_edit_manually.json |    2 +-
 ...93f-bbd70d114188_do_not_edit_manually.json |    2 +-
 ...90d-9af2f7be7019_do_not_edit_manually.json |    2 +-
 ...f50-521c76cad45d_do_not_edit_manually.json |    2 +-
 ...76c-408472fcfebb_do_not_edit_manually.json |    2 +-
 ...1ed-b9e88f05e67a_do_not_edit_manually.json |    2 +-
 ...462-cf7fc8bcd51a_do_not_edit_manually.json |    2 +-
 ...060-a9d9f2d270db_do_not_edit_manually.json |    2 +-
 ...dd4-30f1870e3d03_do_not_edit_manually.json |    2 +-
 ...afa-595bd430c0cb_do_not_edit_manually.json |    2 +-
 ...f79-da99b487b1af_do_not_edit_manually.json |    2 +-
 ...e37-842703494be0_do_not_edit_manually.json |    2 +-
 ...ae5-aa67d2f29fcb_do_not_edit_manually.json |    2 +-
 ...6fc-8f8b2c617466_do_not_edit_manually.json |    2 +-
 ...eb2-1c6088e24878_do_not_edit_manually.json |    2 +-
 ...881-59cde4a88d9b_do_not_edit_manually.json |    2 +-
 ...407-53bc3b8308b4_do_not_edit_manually.json |    2 +-
 ...24e-8156a77cebf5_do_not_edit_manually.json |    2 +-
 ...55c-34d2301c1f51_do_not_edit_manually.json |    2 +-
 ...f5b-6968f8ac04ba_do_not_edit_manually.json |    2 +-
 ...0b6-7df6738d5d7f_do_not_edit_manually.json |    2 +-
 ...991-bae9d2fe7768_do_not_edit_manually.json |    2 +-
 ...c80-d649040a127c_do_not_edit_manually.json |    2 +-
 ...175-83691c1e071c_do_not_edit_manually.json |    2 +-
 ...659-9bf0e577944f_do_not_edit_manually.json |    2 +-
 ...79a-f97be24cc02d_do_not_edit_manually.json |    2 +-
 ...538-f69326b68243_do_not_edit_manually.json |    2 +-
 ...e56-0242ac120002_do_not_edit_manually.json |    2 +-
 ...763-aad3451821e5_do_not_edit_manually.json |    2 +-
 ...966-fa50cbe77856_do_not_edit_manually.json |    2 +-
 ...210-ab23cf731b3a_do_not_edit_manually.json |    2 +-
 ...0ce-dbcae04eaf26_do_not_edit_manually.json |    2 +-
 ...b7a-4f2d0a518b04_do_not_edit_manually.json |    2 +-
 ...475-a7f43754ab6d_do_not_edit_manually.json |    2 +-
 ...5aa-2a6a900df99b_do_not_edit_manually.json |    2 +-
 ...3ba-652eca2e8ed0_do_not_edit_manually.json |    2 +-
 ...895-c8769a749d45_do_not_edit_manually.json |    2 +-
 ...f7a-9408332a15d0_do_not_edit_manually.json |    2 +-
 ...b61-836b2d45a742_do_not_edit_manually.json |    2 +-
 ...804-d68fb7a60859_do_not_edit_manually.json |    2 +-
 ...04b-ebda6756db60_do_not_edit_manually.json |    2 +-
 ...43e-9848cadb1f99_do_not_edit_manually.json |    2 +-
 ...446-2e194c6d4e80_do_not_edit_manually.json |    2 +-
 ...f30-f144229f37ee_do_not_edit_manually.json |    2 +-
 ...844-f7f4d7348199_do_not_edit_manually.json |    2 +-
 ...a2c-6a89635d8615_do_not_edit_manually.json |    2 +-
 ...6dc-b9195c3a24e3_do_not_edit_manually.json |    2 +-
 ...a64-fb65d4b0a4cf_do_not_edit_manually.json |    2 +-
 ...334-affc0a11dedd_do_not_edit_manually.json |    2 +-
 ...847-983f38efb8ff_do_not_edit_manually.json |    2 +-
 ...602-a5994544d9ed_do_not_edit_manually.json |    2 +-
 ...e3d-587fdd99a421_do_not_edit_manually.json |    2 +-
 ...bb3-f0290b99f014_do_not_edit_manually.json |    2 +-
 ...723-84060aeb5529_do_not_edit_manually.json |    2 +-
 ...f71-46155af56570_do_not_edit_manually.json |    2 +-
 ...15f-1f83807ff3cc_do_not_edit_manually.json |    2 +-
 ...c8d-e3191c4ac7fa_do_not_edit_manually.json |    2 +-
 ...9e6-ee5a00ee0956_do_not_edit_manually.json |    2 +-
 ...fa0-c63661820941_do_not_edit_manually.json |    2 +-
 ...73d-6eb8b982afcd_do_not_edit_manually.json |    2 +-
 ...3fa-bd82b7744a9a_do_not_edit_manually.json |    2 +-
 ...9c5-e075f3fb3216_do_not_edit_manually.json |    2 +-
 ...025-7b80a301ac28_do_not_edit_manually.json |    2 +-
 ...e89-f2b8be4baf4e_do_not_edit_manually.json |    2 +-
 ...0f6-f15051b04a7e_do_not_edit_manually.json |    2 +-
 ...8ed-b7fb3d7fa232_do_not_edit_manually.json |    2 +-
 ...898-ab6112dd52c3_do_not_edit_manually.json |    2 +-
 ...785-c1276277b5d7_do_not_edit_manually.json |    2 +-
 ...ea4-247b12b3d74b_do_not_edit_manually.json |    2 +-
 ...e0e-ca4e6cecf7e6_do_not_edit_manually.json |    2 +-
 ...c26-dcfbf937b630_do_not_edit_manually.json |    2 +-
 ...09d-cf0e5daf3ccd_do_not_edit_manually.json |    2 +-
 ...cd5-e1b4aa752a73_do_not_edit_manually.json |    2 +-
 ...aa0-4ef2e19618df_do_not_edit_manually.json |    2 +-
 ...af5-b69c7b679887_do_not_edit_manually.json |    2 +-
 ...d9d-1a018cd8c4bb_do_not_edit_manually.json |    2 +-
 ...cb6-2f574bd4ce51_do_not_edit_manually.json |    2 +-
 ...671-77903dc8de69_do_not_edit_manually.json |    2 +-
 ...399-ddd992d48472_do_not_edit_manually.json |    2 +-
 ...3be-80874d1bd2d5_do_not_edit_manually.json |    2 +-
 ...c2d-e2cfa46bf0e5_do_not_edit_manually.json |    2 +-
 ...098-fe4a9e0aeaa0_do_not_edit_manually.json |    2 +-
 ...898-057387d7c5d4_do_not_edit_manually.json |    2 +-
 ...f00-11f490ae15f4_do_not_edit_manually.json |    2 +-
 ...802-c66b7c90366d_do_not_edit_manually.json |    2 +-
 ...272-2f8361e63644_do_not_edit_manually.json |    2 +-
 ...15a-a4b010d9a872_do_not_edit_manually.json |    2 +-
 ...7e6-7e0948e12415_do_not_edit_manually.json |    2 +-
 ...a34-5ffff0a2c56f_do_not_edit_manually.json |    2 +-
 ...0ca-b33f9b27f3d9_do_not_edit_manually.json |    2 +-
 ...e08-d02dd9100af8_do_not_edit_manually.json |    2 +-
 ...in_rules_changelog_do_not_edit_manually.md |  770 ++++++-------
 .../built_in_rules_do_not_edit_manually.md    |    2 +-
 .../detection/generated/rules_index.json      |    2 +-
 ...-a407-53bc3b8308b4_do_not_edit_manually.md |   12 +
 .../built_in_detection_rules_eventids.md      | 1004 ++++++++---------
 224 files changed, 1119 insertions(+), 1109 deletions(-)

diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index c19bb33de9..28a3bab686 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Linux Masquerading Space After Name, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_016fda46-6c98-4c2d-855e-d3fd74d86cb4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_016fda46-6c98-4c2d-855e-d3fd74d86cb4_do_not_edit_manually.json
index 225ec0299b..dbfdd163f3 100644
--- a/_shared_content/operations_center/detection/generated/attack_016fda46-6c98-4c2d-855e-d3fd74d86cb4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_016fda46-6c98-4c2d-855e-d3fd74d86cb4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Wiz Threat Detections", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Wiz Threat Detections", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 9d9376d1c9..44186c27c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SSH Tunnel Traffic, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SSH X11 Forwarding"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Setuid Or Setgid Usage"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Many Downloads From Several Binaries, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SSH X11 Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, SSH Tunnel Traffic, Ngrok Process Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Many Downloads From Several Binaries, Dynamic DNS Contacted"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Setuid Or Setgid Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Binary Masquerading, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index d9767f51c0..d5205c3132 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Dynamic DNS Contacted, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 9637970e30..9b5878b667 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Login Brute-Force Successful On SentinelOne EDR Management Console, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Threat Detected, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, WithSecure Elements Warning Severity, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Threat Detected, PsExec Process, Login Brute-Force Successful On SentinelOne EDR Management Console, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, WithSecure Elements Critical Severity, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, WithSecure Elements Warning Severity, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, WithSecure Elements Warning Severity, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, WithSecure Elements Warning Severity, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Sysmon Windows File Block Executable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, Netsh RDP Port Opening, ETW Tampering, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index b2745d835a..70acf86437 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Mimecast Email Security Spam Not Denied, Cobalt Strike Default Beacons Names, Mimecast Email Security Virus Not Denied, Mimecast Email Security Malicious QRCode Not Denied"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Mimecast Email Security Spam Not Denied, Mimecast Email Security Virus Not Denied, Mimecast Email Security Malicious QRCode Not Denied, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_042ca68e-dbdd-4646-8d9d-01ca28882c3f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_042ca68e-dbdd-4646-8d9d-01ca28882c3f_do_not_edit_manually.json
index 0e4b83d8b6..38fc21f25e 100644
--- a/_shared_content/operations_center/detection/generated/attack_042ca68e-dbdd-4646-8d9d-01ca28882c3f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_042ca68e-dbdd-4646-8d9d-01ca28882c3f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Akamai Guardicore On-Prem [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Akamai Guardicore On-Prem [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Suspicious Windows DNS Queries, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_049b3dfd-8f67-40b6-a22d-b86ba3b42a05_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_049b3dfd-8f67-40b6-a22d-b86ba3b42a05_do_not_edit_manually.json
index 42e0d3d547..9e8d1e71b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_049b3dfd-8f67-40b6-a22d-b86ba3b42a05_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_049b3dfd-8f67-40b6-a22d-b86ba3b42a05_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Delinea PRA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Delinea PRA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index a082a64a5e..c8cbeecc28 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Workspace / ChromeOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Suspended, Google Workspace User Deletion, Google Workspace Admin Deletion"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Google Workspace External Sharing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Workspace / ChromeOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Google Workspace External Sharing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 616918225b..a3e96598c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Defender XDR Alert, Suspicious File Name, QakBot Process Creation, Microsoft Defender XDR Entra ID Protection Alert, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender XDR Endpoint Alert, Python Offensive Tools and Packages, Login Brute-Force Successful On SentinelOne EDR Management Console, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Microsoft Defender XDR Office 365 Alert, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Microsoft Defender XDR Data Loss Prevention Alert, Interactive Terminal Spawned via Python, Mustang Panda Dropper, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Mshta Suspicious Child Process, Sysprep On AppData Folder, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Microsoft Defender XDR Cloud App Security Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Defender XDR Alert, Microsoft Defender XDR Entra ID Protection Alert, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Defender XDR Endpoint Alert, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, Microsoft Defender XDR Office 365 Alert, Exploit For CVE-2015-1641, Microsoft Defender XDR Data Loss Prevention Alert, Winword Document Droppers, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Microsoft Defender XDR Cloud App Security Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Microsoft Defender XDR Alert, Searchprotocolhost Child Found, Smss Wrong Parent, Microsoft Defender XDR Entra ID Protection Alert, Winrshost Wrong Parent, Microsoft Defender XDR Endpoint Alert, Gpscript Suspicious Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Microsoft Defender XDR Office 365 Alert, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Microsoft Defender XDR Data Loss Prevention Alert, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Microsoft Defender XDR Cloud App Security Alert, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Download File On Cloud Storage Through Command Line, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Download File On Cloud Storage Through Command Line, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Microsoft Defender XDR Alert, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender XDR Entra ID Protection Alert, Suspicious Taskkill Command, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, Microsoft Defender XDR Endpoint Alert, WMIC Uninstall Product, Trickbot Malware Activity, Microsoft Defender XDR Data Loss Prevention Alert, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender XDR Cloud App Security Alert, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name, Microsoft Defender XDR Office 365 Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Alert, Microsoft Defender XDR Entra ID Protection Alert, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Microsoft Defender XDR Endpoint Alert, Exploit For CVE-2015-1641, Microsoft Defender XDR Data Loss Prevention Alert, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Defender XDR Cloud App Security Alert, Suspicious Outlook Child Process, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender XDR Office 365 Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Microsoft Defender XDR Alert, Taskhost Wrong Parent, Microsoft Defender XDR Entra ID Protection Alert, Lsass Wrong Parent, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Endpoint Alert, OneNote Suspicious Children Process, Wininit Wrong Parent, Svchost Wrong Parent, Winlogon wrong parent, Microsoft Defender XDR Data Loss Prevention Alert, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Microsoft Defender XDR Cloud App Security Alert, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Winrshost Wrong Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Download File On Cloud Storage Through Command Line, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Attempt to Disable Gatekeeper Execution Control, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Download File On Cloud Storage Through Command Line, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index a83cec578f..0881427a6a 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Python HTTP Server, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 77c51d3707..834a50f920 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One / Vision One endpoint", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Trend Micro Apex One Malware Alert, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Trend Micro Apex One Data Loss Prevention Alert, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Trend Micro Apex One Malware Alert, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One / Vision One endpoint", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Trend Micro Apex One Data Loss Prevention Alert, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Trend Micro Apex One Malware Alert, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Trend Micro Apex One Data Loss Prevention Alert, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Trend Micro Apex One Data Loss Prevention Alert, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, Netsh RDP Port Opening, ETW Tampering, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index d983497537..87540adec1 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 0547757f21..04ddd0677f 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Login Failed Brute-Force On SentinelOne EDR Management Console, FromBase64String Command Line, SentinelOne EDR Threat Detected (Suspicious), Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Powershell Web Request, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Detected (Malicious), PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Threat Mitigation Report Quarantine Failed, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, SentinelOne EDR Custom Rule Alert, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR SSO User Added, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, SentinelOne EDR Threat Mitigation Report Quarantine Success, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Failed Brute-Force On SentinelOne EDR Management Console, Microsoft Office Product Spawning Windows Shell, SentinelOne EDR Threat Detected (Suspicious), IcedID Execution Using Excel, SentinelOne EDR User Logged In To The Management Console, HTA Infection Chains, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Kill Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), Malspam Execution Registering Malicious DLL, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, ISO LNK Infection Chain, Exploit For CVE-2015-1641, SentinelOne EDR SSO User Added, Winword Document Droppers, Microsoft Office Creating Suspicious File, SentinelOne EDR Threat Mitigation Report Quarantine Success, Microsoft Office Spawning Script, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Login Failed Brute-Force On SentinelOne EDR Management Console, Gpscript Suspicious Parent, SentinelOne EDR Threat Detected (Suspicious), Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Logged In To The Management Console, Rare Lsass Child Found, Wsmprovhost Wrong Parent, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Taskhost Wrong Parent, SentinelOne EDR Threat Detected (Malicious), Logonui Wrong Parent, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Spoolsv Wrong Parent, Searchindexer Wrong Parent, SentinelOne EDR Custom Rule Alert, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SentinelOne EDR SSO User Added, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, SentinelOne EDR Threat Mitigation Report Quarantine Success, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, SentinelOne EDR Agent Disabled, Suspicious DNS Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, SentinelOne EDR Threat Mitigation Report Kill Success, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, SentinelOne EDR SSO User Added, Web Application Launching Shell, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, SentinelOne EDR Threat Detected (Suspicious), WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, SentinelOne EDR Threat Detected (Malicious), PowerShell Invoke Expression With Registry, SentinelOne EDR Malicious Threat Not Mitigated, Powershell Web Request, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, SentinelOne EDR Threat Mitigation Report Remediate Success, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Agent Disabled, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Login Failed Brute-Force On SentinelOne EDR Management Console, Exploited CVE-2020-10189 Zoho ManageEngine, SentinelOne EDR Custom Rule Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Failed To Log In To The Management Console, Suspicious File Name"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, SentinelOne EDR SSO User Added, Microsoft Office Product Spawning Windows Shell, SentinelOne EDR Threat Detected (Suspicious), HTA Infection Chains, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Not Mitigated, Cobalt Strike Default Beacons Names, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, Suspicious Outlook Child Process, IcedID Execution Using Excel, SentinelOne EDR Threat Mitigation Report Remediate Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Explorer Process Executing HTA File, SentinelOne EDR Threat Mitigation Report Quarantine Success, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, SentinelOne EDR Agent Disabled, ISO LNK Infection Chain, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Custom Rule Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, SentinelOne EDR Threat Mitigation Report Kill Success, Taskhost Wrong Parent, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Lsass Wrong Parent, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, Taskhostw Wrong Parent, Spoolsv Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious DNS Child Process, Gpscript Suspicious Parent, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, SolarWinds Suspicious File Creation, SentinelOne EDR Threat Mitigation Report Quarantine Success, Rare Logonui Child Found, SentinelOne EDR Agent Disabled, SolarWinds Wrong Child Process, PsExec Process, Login Failed Brute-Force On SentinelOne EDR Management Console, Wsmprovhost Wrong Parent, SentinelOne EDR Custom Rule Alert, Searchprotocolhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence, NjRat Registry Changes"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
index 81eb6cc737..d525283e02 100644
--- a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x 1Password EPM", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x 1Password EPM", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 3c0b9ea4dd..95995e5ef3 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index daf06a0d38..92c0f1c049 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Screenconnect Remote Execution, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Web Application Launching Shell, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, ISO LNK Infection Chain, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Suspicious DNS Child Process"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 0b31e3360f..d6221f116e 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Screenconnect Remote Execution, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Web Application Launching Shell, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, New Service Creation, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, New Service Creation, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, ISO LNK Infection Chain, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Download File On Cloud Storage Through Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Cobalt Strike DNS Beaconing, Download File On Cloud Storage Through Command Line, Koadic MSHTML Command, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Smss Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, New Service Creation, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Smss Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, New Service Creation, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Download File On Cloud Storage Through Command Line, Suspicious Windows DNS Queries, Koadic MSHTML Command"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 708baadb84..85d4591bdd 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19527522-2653-45dd-acea-49ae725bb435_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19527522-2653-45dd-acea-49ae725bb435_do_not_edit_manually.json
index 68ccb803b4..227f56797f 100644
--- a/_shared_content/operations_center/detection/generated/attack_19527522-2653-45dd-acea-49ae725bb435_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19527522-2653-45dd-acea-49ae725bb435_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index f82ea1c1ed..6aa073d43d 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness), Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness), Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Password Change Brute-Force On AzureAD, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Password Change Brute-Force On AzureAD, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1a1502f5-5a93-44b4-b0b5-359bbcb14902_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1a1502f5-5a93-44b4-b0b5-359bbcb14902_do_not_edit_manually.json
index 655e657e66..ecacec0837 100644
--- a/_shared_content/operations_center/detection/generated/attack_1a1502f5-5a93-44b4-b0b5-359bbcb14902_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1a1502f5-5a93-44b4-b0b5-359bbcb14902_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x MokN - Baits", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x MokN - Baits", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 477a32ab5e..e6e962528a 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index 311e291c35..f1efc2373c 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 8cc461446d..72766a76ec 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_21bb5b9b-dc0e-4941-8932-262005a2789c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_21bb5b9b-dc0e-4941-8932-262005a2789c_do_not_edit_manually.json
index 3c8514c9fa..acdea2f37b 100644
--- a/_shared_content/operations_center/detection/generated/attack_21bb5b9b-dc0e-4941-8932-262005a2789c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_21bb5b9b-dc0e-4941-8932-262005a2789c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Hornetsecurity 365 Total Protection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Threat Detected By Hornetsecurity 365 Total Protection, Advanced Threat Detected By Hornetsecurity 365 Total Protection, SEKOIA.IO Intelligence Feed, Spam Detected By Hornetsecurity 365 Total Protection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Hornetsecurity 365 Total Protection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spam Detected By Hornetsecurity 365 Total Protection, Threat Detected By Hornetsecurity 365 Total Protection, Advanced Threat Detected By Hornetsecurity 365 Total Protection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index b196dd743d..7094432759 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_225da01c-9500-45e4-b499-0e4966d4361c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_225da01c-9500-45e4-b499-0e4966d4361c_do_not_edit_manually.json
index 3d148a963b..c8e0133504 100644
--- a/_shared_content/operations_center/detection/generated/attack_225da01c-9500-45e4-b499-0e4966d4361c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_225da01c-9500-45e4-b499-0e4966d4361c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BeyondTrust Privileged Remote Access Syslog [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BeyondTrust Privileged Remote Access Syslog [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index ddbfdfabca..74b442cca9 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, PowerShell Downgrade Attack, CrowdStrike Falcon Identity Protection Detection Medium Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Trickbot Malware Activity, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Web Application Launching Shell, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, CrowdStrike Falcon Intrusion Detection EppDetection, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, Mustang Panda Dropper, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Screenconnect Remote Execution, Mshta Suspicious Child Process, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection Low Severity, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Informational Severity, HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, CrowdStrike Falcon Intrusion Detection EppDetection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Medium Severity, Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, Rare Lsass Child Found, Wsmprovhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, CrowdStrike Falcon Identity Protection Detection Medium Severity, Taskhost Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, Logonui Wrong Parent, Spoolsv Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection EppDetection, Csrss Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, CrowdStrike Falcon Intrusion Detection, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, CrowdStrike Falcon Mobile Detection High Severity, Potential LokiBot User-Agent, CrowdStrike Falcon Mobile Detection Critical Severity, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, CrowdStrike Falcon Mobile Detection Low Severity, Koadic MSHTML Command, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Informational Severity, SEKOIA.IO Intelligence Feed, Python HTTP Server, CrowdStrike Falcon Mobile Detection Medium Severity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Identity Protection Detection Medium Severity, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, Web Application Launching Shell, Suspicious PowerShell Invocations - Specific, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Correlation Netcat Infection Chain, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, CrowdStrike Falcon Identity Protection Detection Low Severity, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), CrowdStrike Falcon Intrusion Detection Low Severity, Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, CrowdStrike Falcon Intrusion Detection Medium Severity, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, CrowdStrike Falcon Intrusion Detection EppDetection, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, Malspam Execution Registering Malicious DLL, CrowdStrike Falcon Intrusion Detection Critical Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection High Severity, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name, CrowdStrike Falcon Identity Protection Detection Critical Severity"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, CrowdStrike Falcon Mobile Detection Critical Severity, Potential LokiBot User-Agent, CrowdStrike Falcon Mobile Detection Informational Severity, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, CrowdStrike Falcon Mobile Detection High Severity, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Lemon Duck User-Agent, Koadic MSHTML Command, CrowdStrike Falcon Mobile Detection Medium Severity, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection Low Severity, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Medium Severity, ZIP LNK Infection Chain, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Identity Protection Detection Low Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, Suspicious Outlook Child Process, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, CrowdStrike Falcon Intrusion Detection EppDetection, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, Malspam Execution Registering Malicious DLL, CrowdStrike Falcon Intrusion Detection Critical Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Taskhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Lsass Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection, CrowdStrike Falcon Intrusion Detection High Severity EppDetection, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Wininit Wrong Parent, Svchost Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection, Suspicious DNS Child Process, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection High Severity, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection Medium Severity, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection Informational Severity, Rare Logonui Child Found, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection EppDetection, CrowdStrike Falcon Intrusion Detection Low Severity EppDetection, PsExec Process, CrowdStrike Falcon Intrusion Detection Critical Severity, Wsmprovhost Wrong Parent, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Winrshost Wrong Parent"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
index 0caaf7dc36..6001547c36 100644
--- a/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Vision One OAT [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, PowerShell Suspicious Context Changes, Sysprep On AppData Folder, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, RDP Port Change Using Powershell, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Vision One OAT [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, Correlation Netcat Infection Chain, WMIC Uninstall Product, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Evil Winrm Modules Execution, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Chflags Hidden, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Detect requests to Konni C2 servers"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 0c3a250a49..ef699cbf7c 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 054731f707..68ad0c7c1f 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index f39a54dd87..4ec1ea48b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Invoke-TheHash Commandlets, Sekoia.io EICAR Detection, In-memory PowerShell, FromBase64String Command Line, Suspicious Scripting In A WMI Consumer, Powershell Web Request, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious VBS Execution Parameter, Turla Named Pipes, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Correlation Supicious Powershell Drop and Exec, Evil Winrm Modules Execution, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Sysprep On AppData Folder, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Registry Value Changed Via Windows Run Dialog, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SSH Tunnel Traffic, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SSH X11 Forwarding"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Njrat Registry Values, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Setuid Or Setgid Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Dynamic DNS Contacted, Cryptomining, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, Many Downloads From Several Binaries, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, FlowCloud Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Disable Security Events Logging Adding Reg Key MiniNt, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Chafer (APT 39) Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Ursnif Registry Key, Blue Mockingbird Malware, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 1, AD User Enumeration, Remote Privileged Group Enumeration, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Python Opening Ports, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, Disable Security Events Logging Adding Reg Key MiniNt, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Sekoia.io Endpoint Agent Uninstalled, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Dynwrapx Module Loading, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, In-memory PowerShell, FromBase64String Command Line, Powershell Web Request, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Turla Named Pipes, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Correlation Supicious Powershell Drop and Exec, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Cookies Deletion, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Correlation Post Exploitation Patterns Via Winrm, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Dumpert LSASS Process Dumper, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, LSASS Memory Dump File Creation, Copying Browser Files With Credentials, Lsass Access Through WinRM, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, SAM Registry Hive Handle Request, Cmdkey Cached Credentials Recon, DCSync Attack, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Credential Dumping Tools Service Execution, HackTools Suspicious Names, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Malicious Service Installations, Active Directory Replication from Non Machine Account, WCE wceaux.dll Creation, Rubeus Tool Command-line, Transferring Files With Credential Data Via Network Shares, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, WMI DLL Loaded Via Office, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Unsigned Driver Loaded From Suspicious Location, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Sekoia.io Endpoint Agent Uninstalled, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Lsass Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Lsass Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Windows Suspicious Service Creation, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, OneNote Suspicious Children Process, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Windows Suspicious Service Creation, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD User Enumeration, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Process Herpaderping, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Malicious Named Pipe, Cobalt Strike Named Pipes, MavInject Process Injection, Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Spoolsv Wrong Parent"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, DHCP Callout DLL Installation, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Correlation Admin Files Checked On Network Share, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule, Suspicious Hostname"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Active Directory User Backdoors, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Denied Access To Remote Desktop, RDP Login From Localhost, Lsass Access Through WinRM, RDP Port Change Using Powershell, MMC20 Lateral Movement, Protected Storage Service Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting), Possible Replay Attack, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Lsass Access Through WinRM, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Audit CVE Event, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Suspicious DLL Loaded Via Office Applications, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, Turla Named Pipes, Detection of default Mimikatz banner, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, WMI DLL Loaded Via Office, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious Scripting In A WMI Consumer, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, In-memory PowerShell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Sekoia.io Endpoint Agent Uninstalled, Python Opening Ports, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Suspect Svchost Memory Access, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Disable Security Events Logging Adding Reg Key MiniNt, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Sekoia.io Endpoint Agent Uninstalled, Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Registry Value Changed Via Windows Run Dialog, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, HTA Infection Chains, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious Outlook Child Process, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Many Downloads From Several Binaries, Dynamic DNS Contacted, Sliver DNS Beaconing, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Cisco Umbrella Threat Detected, Suspicious Outlook Child Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SSH X11 Forwarding, SOCKS Tunneling Tool, SSH Tunnel Traffic, Ngrok Process Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All, AD Object WriteDAC Access, File Or Folder Permissions Modifications"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Debugging Software Deactivation, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Ursnif Registry Key, Windows Defender Logging Modification Via Registry, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, DNS ServerLevelPluginDll Installation, LanManServer Registry Modify, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, Chafer (APT 39) Activity, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, StoneDrill Service Install, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, APT29 Fake Google Update Service Install, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, StoneDrill Service Install, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, APT29 Fake Google Update Service Install, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Correlation Impacket Smbexec, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Metasploit PSExec Service Creation, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Windows Suspicious Service Creation, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Correlation Impacket Smbexec, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Check Point Harmony Mobile Application Forbidden, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Wininit Wrong Parent, Svchost Wrong Parent, Winlogon wrong parent, Metasploit PSExec Service Creation, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Windows Suspicious Service Creation, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Active Directory Database Dump Via Ntdsutil, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, RedMimicry Winnti Playbook Dropped File, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, Suspicious SAM Dump, Rubeus Tool Command-line, Lsass Access Through WinRM, Active Directory Replication from Non Machine Account, LSASS Access From Non System Account, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, DCSync Attack, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Credential Dumping-Tools Common Named Pipes, NetNTLM Downgrade Attack, DPAPI Domain Backup Key Extraction, LSASS Memory Dump, Copying Browser Files With Credentials, Transferring Files With Credential Data Via Network Shares, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, Suspicious CommandLine Lsassy Pattern, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key, LSASS Memory Dump, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Turla Named Pipes, Detection of default Mimikatz banner, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Unsigned Driver Loaded From Suspicious Location, Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Malicious Named Pipe, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Dynwrapx Module Loading, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMI DLL Loaded Via Office, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Lsass Access Through WinRM, Cobalt Strike Default Service Creation Usage, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Dynwrapx Module Loading, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Mimikatz Basic Commands, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation, PowerView commandlets 1"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Remote Task Creation Via ATSVC Named Pipe, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious TGS requests (Kerberoasting), Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack, Suspicious Outbound Kerberos Connection, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Evil Winrm Modules Execution, ETW Tampering, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 2, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, Windows Registry Persistence COM Search Order Hijacking, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index ed622c8235..f4717481f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Linux Masquerading Space After Name, Phorpiex Process Masquerading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index bfd598335c..289f81f68b 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index ade509551c..feddb6cab9 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Login Brute-Force Successful On SentinelOne EDR Management Console, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Process Herpaderping, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Login Brute-Force Successful On SentinelOne EDR Management Console, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Winrshost Wrong Parent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Attempt to Disable Gatekeeper Execution Control, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Process Hollowing Detection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index de7f42c980..760908e8f5 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 7d37e84b4c..e30a0f0b6e 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, Netsh RDP Port Opening, ETW Tampering, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2bfa5c39-bc73-48cf-afbd-7fd0eccf1d59_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2bfa5c39-bc73-48cf-afbd-7fd0eccf1d59_do_not_edit_manually.json
index bd3fa15a2b..0898c8803b 100644
--- a/_shared_content/operations_center/detection/generated/attack_2bfa5c39-bc73-48cf-afbd-7fd0eccf1d59_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2bfa5c39-bc73-48cf-afbd-7fd0eccf1d59_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Siteminder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Siteminder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2c9ce787-85dc-45d9-a320-33a96077fead_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2c9ce787-85dc-45d9-a320-33a96077fead_do_not_edit_manually.json
index f750872203..535f204c54 100644
--- a/_shared_content/operations_center/detection/generated/attack_2c9ce787-85dc-45d9-a320-33a96077fead_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2c9ce787-85dc-45d9-a320-33a96077fead_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Next-Generation Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Next-Generation Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 9812568561..c20d80bc72 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
index 03c9bcd9b2..51211cc95e 100644
--- a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Gatewatcher AionIQ V103 Shellcode Detect"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Beacon Detect, Gatewatcher AionIQ V103 Sigflow Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Retrohunt, Gatewatcher AionIQ V103 Active CTI"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Gatewatcher AionIQ V103 Shellcode Detect"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ V103 Beacon Detect, Gatewatcher AionIQ V103 Sigflow Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Retrohunt, Gatewatcher AionIQ V103 Active CTI"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 2dc7c23a36..7a57b3f83a 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Sekoia.io EICAR Detection, Web Application Launching Shell, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Powershell Web Request"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ESET Protect Intrusion Detection, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Powershell Web Request"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, ESET Protect Malware, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, Powershell Web Request, Microsoft Office Spawning Script, Web Application Launching Shell, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, ESET Protect Malware, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Powershell Web Request"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ESET Protect Intrusion Detection, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 8fb3e1fcfe..4db69f522f 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index 488c236512..7bf74fdec6 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suricata Web Application Attack High Severity Alert, Suricata Exploit Kit Activity Detected High Severity Alert, Suricata Attempted Administrator Privilege Gain High Severity Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Cobalt Strike DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suricata Exploit Kit Activity Detected High Severity Alert, Suricata Attempted Administrator Privilege Gain High Severity Alert, Suricata Web Application Attack High Severity Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index ee6314646e..49d29813de 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index fcb009a740..4d265adca9 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_39280bac-34d7-4fa2-a6b5-c43791eed1bc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_39280bac-34d7-4fa2-a6b5-c43791eed1bc_do_not_edit_manually.json
index 66651eadb3..ad378fff22 100644
--- a/_shared_content/operations_center/detection/generated/attack_39280bac-34d7-4fa2-a6b5-c43791eed1bc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_39280bac-34d7-4fa2-a6b5-c43791eed1bc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Activity Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Screenconnect Remote Execution, Socat Reverse Shell Detection, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Web Application Launching Shell, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Suspicious DNS Child Process"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Activity Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 93a6eafa39..f7ee7e7ffa 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Suspicious Scripting In A WMI Consumer, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Web Application Launching Shell, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, Sysprep On AppData Folder, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Dumpert LSASS Process Dumper, Process Trace Alteration, Impacket Secretsdump.py Tool, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, Password Dumper Activity On LSASS, Malicious Service Installations, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, Transferring Files With Credential Data Via Network Shares"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 1, AD User Enumeration, Remote Privileged Group Enumeration, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Deleted, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Chafer (APT 39) Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Ursnif Registry Key, Remote Registry Management Using Reg Utility, DHCP Callout DLL Installation, FlowCloud Malware, RDP Sensitive Settings Changed, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Correlation Supicious Powershell Drop and Exec, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Dscl Authonly, Account Tampering - Suspicious Failed Logon Reasons, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added To Admin Group Via Cmd"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Correlation Admin Files Checked On Network Share, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, Protected Storage Service Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Kerberos Ticket, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, LokiBot Default C2 URL, Chafer (APT 39) Activity"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, Generic Password Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, CVE-2021-34473 ProxyShell Attempt, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Trickbot Malware Activity, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious Scripting In A WMI Consumer, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, HTA Infection Chains, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious Outlook Child Process, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Cobalt Strike DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Chafer (APT 39) Activity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Remote Privileged Group Enumeration, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Attempt to Disable Gatekeeper Execution Control, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Evil Winrm Modules Execution, ETW Tampering, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Chflags Hidden, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, User Added to Local Administrators, SSH Authorized Key Alteration, Mimikatz Basic Commands, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Remote Task Creation Via ATSVC Named Pipe, STRRAT Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Chafer (APT 39) Activity"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Password Dumper Activity On LSASS, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Copying Browser Files With Credentials, Transferring Files With Credential Data Via Network Shares, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, FlowCloud Malware, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Correlation Impacket Smbexec, Taskhost Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Correlation Impacket Smbexec, Taskhost Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 2, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Cobalt Strike DNS Beaconing, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, EvilProxy Phishing Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Dscl Authonly"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Kerberos Ticket, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Admin User RDP Remote Logon"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index faa6abf78d..f4a54cb83f 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Correlation Potential DNS Tunnel, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 1d5520cac0..0b88ac3eb7 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Blocked, Sophos EDR CorePUA Clean, Sophos EDR Application Detected, Sophos EDR CorePUA Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Sophos EDR Application Detected"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index 025cd16613..0647b9e607 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 17e2bff2e4..77c57a5920 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Download File On Cloud Storage Through Command Line, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Download File On Cloud Storage Through Command Line, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Download File On Cloud Storage Through Command Line, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 2ebde1ff3d..67a38dbf57 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Web Application Launching Shell, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, Sysprep On AppData Folder, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Dumpert LSASS Process Dumper, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Correlation Supicious Powershell Drop and Exec, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Correlation PowerShell Suspicious DLL Loading, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Port Change Using Powershell, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Trickbot Malware Activity, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Attempt to Disable Gatekeeper Execution Control, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, Evil Winrm Modules Execution, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Chflags Hidden, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 9416fa8eb9..b942a10027 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked, Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Cleaned"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, Suspicious PROCEXP152.sys File Created In Tmp, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, Suspicious PROCEXP152.sys File Created In Tmp, SELinux Disabling"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Tactical RMM Installation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Suspicious Windows DNS Queries, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined, Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Tactical RMM Installation, Windows Sandbox Start"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 1b4857523f..8d1a54604b 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 742efe7b29..576114c77f 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_448f83c3-623d-4a07-a1d4-a1f96be1519b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_448f83c3-623d-4a07-a1d4-a1f96be1519b_do_not_edit_manually.json
index 5e667117a9..f12d7fbcb5 100644
--- a/_shared_content/operations_center/detection/generated/attack_448f83c3-623d-4a07-a1d4-a1f96be1519b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_448f83c3-623d-4a07-a1d4-a1f96be1519b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix ePO (on-prem)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix ePO (on-prem)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, HTA Infection Chains"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 60b41b0a29..86a6578a07 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 64694087cd..52b9e49282 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, System Network Connections Discovery, Internet Scanner, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Python HTTP Server, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, RDP Configuration File From Mail Process, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Internet Scanner, System Network Connections Discovery, Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index d434ea66e4..3545ec481d 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Cato Networks SASE High Risk Alert, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Cato Networks SASE High Risk Alert, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index c77adc44fa..f5aa5ea0c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Proofpoint TAP Email Classified As Malware But Allowed, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index b36e99a782..b2b71ae11c 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jizo AI / Sesame it NDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jizo AI / Sesame it NDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 73ca9ee430..3c72df72ac 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 627d1c72bb..8feeac4004 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4703dc86-c39d-484c-abb5-46e126c6a05d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4703dc86-c39d-484c-abb5-46e126c6a05d_do_not_edit_manually.json
index e8755afda0..5599086775 100644
--- a/_shared_content/operations_center/detection/generated/attack_4703dc86-c39d-484c-abb5-46e126c6a05d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4703dc86-c39d-484c-abb5-46e126c6a05d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BeyondTrust PRA Team [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, Linux Masquerading Space After Name, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Package Manager Alteration, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Package Manager Alteration, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, DLL Load via LSASS Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BeyondTrust PRA Team [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, RTLO Character, Possible Malicious File Double Extension, Phorpiex Process Masquerading"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NetNTLM Downgrade Attack, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration, Windows Credential Editor Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index 7a54279aa4..d69f5d1f9f 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_47c9021d-4add-435a-a9db-68e8dc053b6b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_47c9021d-4add-435a-a9db-68e8dc053b6b_do_not_edit_manually.json
index ba0e30c642..317e39926e 100644
--- a/_shared_content/operations_center/detection/generated/attack_47c9021d-4add-435a-a9db-68e8dc053b6b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_47c9021d-4add-435a-a9db-68e8dc053b6b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Radware DefensePro [Beta]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Radware DefensePro [Beta]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_48121ba7-6091-4bbc-accd-50e7c286e7af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_48121ba7-6091-4bbc-accd-50e7c286e7af_do_not_edit_manually.json
index 9aface1356..07f4003cd3 100644
--- a/_shared_content/operations_center/detection/generated/attack_48121ba7-6091-4bbc-accd-50e7c286e7af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_48121ba7-6091-4bbc-accd-50e7c286e7af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Nanocorp [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Nanocorp [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
index 4fbea2a1e7..8494bd2831 100644
--- a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4c4f3256-c3c7-415f-9515-75261514f861_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4c4f3256-c3c7-415f-9515-75261514f861_do_not_edit_manually.json
index 3a7e873608..8b1efa3115 100644
--- a/_shared_content/operations_center/detection/generated/attack_4c4f3256-c3c7-415f-9515-75261514f861_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4c4f3256-c3c7-415f-9515-75261514f861_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Akamai WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Akamai WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
index dfc9ebc783..baeb6f472e 100644
--- a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Load Balancing", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Load Balancing", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4f9ea4fb-e8b8-4001-822a-4c7a547c31d6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4f9ea4fb-e8b8-4001-822a-4c7a547c31d6_do_not_edit_manually.json
index d52eb5c4fd..3b8f645333 100644
--- a/_shared_content/operations_center/detection/generated/attack_4f9ea4fb-e8b8-4001-822a-4c7a547c31d6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4f9ea4fb-e8b8-4001-822a-4c7a547c31d6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Watchguard EPDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Watchguard EPDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 2f728526de..757f20b4dc 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_516d93f9-86b0-4038-a85b-c9be72035ac4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_516d93f9-86b0-4038-a85b-c9be72035ac4_do_not_edit_manually.json
index 3ff73a6670..11cbad123f 100644
--- a/_shared_content/operations_center/detection/generated/attack_516d93f9-86b0-4038-a85b-c9be72035ac4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_516d93f9-86b0-4038-a85b-c9be72035ac4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x NucleonEDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Linux Masquerading Space After Name, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x NucleonEDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_517e223d-07a1-4d61-b508-c4c5587146d6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_517e223d-07a1-4d61-b508-c4c5587146d6_do_not_edit_manually.json
index 36de6f37d6..c2faee3e76 100644
--- a/_shared_content/operations_center/detection/generated/attack_517e223d-07a1-4d61-b508-c4c5587146d6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_517e223d-07a1-4d61-b508-c4c5587146d6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trapster (by Ballpoint) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trapster (by Ballpoint) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 12be5be86e..5ccf34473c 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 9bd3480c1e..ee75fcca9d 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected, Correlation Fortigate Multi Dest From One Internal Ip, Fortigate IPS Critical Alert, Correlation Fortigate Multi Alert From One Internal Ip, Fortigate IPS High Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Sliver DNS Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Sliver DNS Beaconing, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Correlation Fortigate Multi Dest From One Internal Ip, Internet Scanner, Fortigate IPS Critical Alert, Fortigate IPS High Severity Alert, Correlation Fortigate Multi Alert From One Internal Ip, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index 64f35c52cf..486160f4a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Minor Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Minor Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index 50b30b2db1..3162d28d42 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 6cb4f85064..d4c9fa1316 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 1daa435795..2542f076e7 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
index a9d0706cc4..669e592225 100644
--- a/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x LockSelf LockPass/LockTransfer/LockFiles", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x LockSelf LockPass/LockTransfer/LockFiles", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 52e385f7b6..0ca9f6b8d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, Netsh RDP Port Opening, ETW Tampering, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index 7c080139f5..779cf30133 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cac7207-1711-4654-9932-929fe619f6ea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cac7207-1711-4654-9932-929fe619f6ea_do_not_edit_manually.json
index f925408e9d..826b2fb22a 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cac7207-1711-4654-9932-929fe619f6ea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cac7207-1711-4654-9932-929fe619f6ea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Catalyst SD-WAN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Catalyst SD-WAN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index 4b6e39547c..6342c0257c 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 7dde0c0689..f9c4ec63ca 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 7c5ade2762..124fa1a47b 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index aeb4bdd7f1..1fdc366aa2 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index 7ca023c7e3..9fceae070b 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
index 36a012fea4..993f8ad844 100644
--- a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Clavister NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Clavister NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index 6768e7b67e..8622b9cc45 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index e8bdd6aafd..d3c745a877 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 78c872e4b4..9859fe7b3f 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Brute Force WALLIX Bastion"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Brute Force WALLIX Bastion"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 44de81895f..9ad06cca09 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index c9e01c9109..1ffb4dd06c 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6e2f8b2b-3412-4699-a96b-a9a769bff683_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6e2f8b2b-3412-4699-a96b-a9a769bff683_do_not_edit_manually.json
index 754ac6f06b..50ca79b159 100644
--- a/_shared_content/operations_center/detection/generated/attack_6e2f8b2b-3412-4699-a96b-a9a769bff683_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6e2f8b2b-3412-4699-a96b-a9a769bff683_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CyberArk Digital Vault", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CyberArk Digital Vault", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 850941da20..bf74c05eff 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 55f104bbf5..3ce7fb21d6 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_71bd28dc-163d-4262-9d50-84ec4a9cef65_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_71bd28dc-163d-4262-9d50-84ec4a9cef65_do_not_edit_manually.json
index e66830111f..fe39f15c51 100644
--- a/_shared_content/operations_center/detection/generated/attack_71bd28dc-163d-4262-9d50-84ec4a9cef65_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_71bd28dc-163d-4262-9d50-84ec4a9cef65_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point Harmony Email & Collaboration Suite Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point Harmony Email & Collaboration Suite Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 284c9ca39c..35428a6a3d 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_783fee54-0527-4624-ab7f-080c0f33fa75_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_783fee54-0527-4624-ab7f-080c0f33fa75_do_not_edit_manually.json
index dde11a273f..edcb870ddf 100644
--- a/_shared_content/operations_center/detection/generated/attack_783fee54-0527-4624-ab7f-080c0f33fa75_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_783fee54-0527-4624-ab7f-080c0f33fa75_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Wiz Vulnerability Findings", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Wiz Vulnerability Findings", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 5bb267be1b..be588560ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Download File On Cloud Storage Through Command Line"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Download File On Cloud Storage Through Command Line, Koadic MSHTML Command, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Download File On Cloud Storage Through Command Line"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index c77a0ca2d2..a039927d13 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 300800e58d..e82370cb04 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index 21d228f24e..7229d24e1a 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cloudflare Gateway DNS Query Blocked to Malicious Domain, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cloudflare Gateway DNS Query Blocked to Malicious Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Cloudflare Gateway DNS Query Blocked to Malicious Domain, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cloudflare Gateway DNS Query Blocked to Malicious Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b6d0592-9e0e-4db0-adf0-c9ab2d5c2162_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b6d0592-9e0e-4db0-adf0-c9ab2d5c2162_do_not_edit_manually.json
index d4e5619812..465baaba29 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b6d0592-9e0e-4db0-adf0-c9ab2d5c2162_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b6d0592-9e0e-4db0-adf0-c9ab2d5c2162_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events with AWS S3", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events with AWS S3", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 63220f1678..17f907f3c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Massive Dowloads By A Single User, Varonis Many File Created and Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7f89b1b9-de7f-4e2c-bcef-4d7ddfc91d31_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7f89b1b9-de7f-4e2c-bcef-4d7ddfc91d31_do_not_edit_manually.json
index 9ffc08f286..6a94a80f02 100644
--- a/_shared_content/operations_center/detection/generated/attack_7f89b1b9-de7f-4e2c-bcef-4d7ddfc91d31_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7f89b1b9-de7f-4e2c-bcef-4d7ddfc91d31_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Wiz Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Wiz Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index 39588b17ca..8a3d8bea4f 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index ca05d1d801..275c4c6fff 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub New Organization Member, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub New Organization Member, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index a5eb54b511..86be3da386 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index 9525c4b8d8..c09705339c 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index c0c88db76c..f6f1619609 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter / OPNSense / PfSense", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter / OPNSense / PfSense", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 9950057301..16715bb75d 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index 88aee9a38c..e4bc949b25 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index b4a4478f4a..8d4fc1bff7 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 7670321e23..5a7adde6bb 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 94632a277c..adef9111a6 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 5de1daaecd..4d8a9ef861 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, TEHTRIS EDR Alert, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, TEHTRIS EDR Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, TEHTRIS EDR Alert, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, TEHTRIS EDR Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, TEHTRIS EDR Alert"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index 4826814f1b..0e4afa9ffe 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index 3b4d923103..3770c1b934 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions, WAF Correlation Block Multiple Destinations"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations, WAF Correlation Block actions"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Adidnsdump Enumeration, Internet Scanner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index 5836ba423b..db45f76855 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index c2b0ab43bc..3f77030c81 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 9f598c48d7..102627465a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Sekoia.io EICAR Detection, In-memory PowerShell, Suspicious Scripting In A WMI Consumer, PowerShell Commands Invocation, JS PowerShell Infection Chains, Web Application Launching Shell, Generic-reverse-shell-oneliner, Lazarus Loaders, MalwareBytes Uninstallation, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Screenconnect Remote Execution, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Alternate PowerShell Hosts Pipe, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Trickbot Malware Activity, Suspicious Taskkill Command, Socat Relaying Socket, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Sysprep On AppData Folder, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name, Linux Bash Reverse Shell, FromBase64String Command Line, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious Windows Script Execution, Malicious PowerShell Keywords, Turla Named Pipes, WMI DLL Loaded Via Office, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell Suspicious Context Changes, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, Suspicious Cmd.exe Command Line, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Correlation Supicious Powershell Drop and Exec, Aspnet Compiler, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Threat, IcedID Execution Using Excel, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains, HarfangLab EDR High Threat, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Registry Value Changed Via Windows Run Dialog, HarfangLab EDR Process Execution Blocked (HL-AI engine), Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Threat, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Python Opening Ports, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Security Events Logging Adding Reg Key MiniNt, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Njrat Registry Values, Narrator Feedback-Hub Persistence, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Dumpert LSASS Process Dumper, Suspicious SAM Dump, Process Trace Alteration, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, LSASS Memory Dump File Creation, Copying Browser Files With Credentials, Lsass Access Through WinRM, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, SAM Registry Hive Handle Request, Cmdkey Cached Credentials Recon, DCSync Attack, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Credential Dumping Tools Service Execution, HackTools Suspicious Names, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Malicious Service Installations, Active Directory Replication from Non Machine Account, WCE wceaux.dll Creation, Rubeus Tool Command-line, Transferring Files With Credential Data Via Network Shares, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, DHCP Callout DLL Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Unsigned Driver Loaded From Suspicious Location, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, Active Directory User Backdoors, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, Enabling Restricted Admin Mode"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 1, AD User Enumeration, Remote Privileged Group Enumeration, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Cookies Deletion, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Deleted, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Process Herpaderping, Smss Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Malicious Named Pipe, Cobalt Strike Named Pipes, MavInject Process Injection, Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, FlowCloud Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Disable Security Events Logging Adding Reg Key MiniNt, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Chafer (APT 39) Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Ursnif Registry Key, Blue Mockingbird Malware, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Dynwrapx Module Loading, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, In-memory PowerShell, FromBase64String Command Line, Powershell Web Request, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Turla Named Pipes, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Sigma Intelligence ErrTraffic PowerShell Command Line, Correlation Supicious Powershell Drop and Exec, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Dscl Authonly, Account Tampering - Suspicious Failed Logon Reasons, User Added To Admin Group Via Cmd, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added To Admin Group Via Cmd"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, WMI DLL Loaded Via Office, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Lsass Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Lsass Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Windows Suspicious Service Creation, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, OneNote Suspicious Children Process, Taskhost Wrong Parent, Correlation Impacket Smbexec, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Windows Suspicious Service Creation, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Malicious Service Installations, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD User Enumeration, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Correlation Admin Files Checked On Network Share, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage, TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Correlation Impacket Smbexec, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Denied Access To Remote Desktop, RDP Login From Localhost, Lsass Access Through WinRM, RDP Port Change Using Powershell, MMC20 Lateral Movement, Protected Storage Service Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting), Possible Replay Attack, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Lsass Access Through WinRM, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed, Python HTTP Server, Chafer (APT 39) Activity"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, Generic Password Discovery"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Download File On Cloud Storage Through Command Line, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Audit CVE Event, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Exploited CVE-2020-10189 Zoho ManageEngine, Login Brute-Force Successful On SentinelOne EDR Management Console, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, Powershell Web Request, Sigma Intelligence ErrTraffic PowerShell Command Line, Elise Backdoor, Phorpiex DriveMgr Command, Socat Reverse Shell Detection, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Windows Script Execution, Malicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Web Application Launching Shell, Suspicious DLL Loaded Via Office Applications, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Turla Named Pipes, Suspicious Outlook Child Process, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Evil Winrm Modules Execution, Suspicious PowerShell Keywords, QakBot Process Creation, Suspicious Scripting In A WMI Consumer, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, In-memory PowerShell, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Suspicious File Name, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, WMImplant Hack Tool, Lazarus Loaders, Detection of default Mimikatz banner, WMI DLL Loaded Via Office, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Generic-reverse-shell-oneliner, PowerShell Suspicious Context Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Registry Value Changed Via Windows Run Dialog, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, HTA Infection Chains, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious Outlook Child Process, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Correlation Impacket Smbexec, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Check Point Harmony Mobile Application Forbidden, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Wininit Wrong Parent, Svchost Wrong Parent, Winlogon wrong parent, Metasploit PSExec Service Creation, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Windows Suspicious Service Creation, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Winrshost Wrong Parent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, Sysmon Windows File Block Executable, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Non-Legitimate TLDs, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Download File On Cloud Storage Through Command Line, TrevorC2 HTTP Communication, Koadic MSHTML Command, Suspicious LDAP-Attributes Used, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Chafer (APT 39) Activity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Remote Privileged Group Enumeration, Shell PID Injection, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Suspect Svchost Memory Access, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Disable Security Events Logging Adding Reg Key MiniNt, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Attempt to Disable Gatekeeper Execution Control, Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Unsigned Driver Loaded From Suspicious Location, Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Malicious Named Pipe, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Dynwrapx Module Loading, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, Windows Registry Persistence COM Search Order Hijacking, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Evil Winrm Modules Execution, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Chflags Hidden, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Mimikatz Basic Commands, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Active Directory Database Dump Via Ntdsutil, Process Trace Alteration, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, RedMimicry Winnti Playbook Dropped File, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, Suspicious SAM Dump, Rubeus Tool Command-line, Lsass Access Through WinRM, Active Directory Replication from Non Machine Account, LSASS Access From Non System Account, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, DCSync Attack, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Credential Dumping-Tools Common Named Pipes, NetNTLM Downgrade Attack, DPAPI Domain Backup Key Extraction, LSASS Memory Dump, Copying Browser Files With Credentials, Transferring Files With Credential Data Via Network Shares, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Ursnif Registry Key, Windows Defender Logging Modification Via Registry, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, DNS ServerLevelPluginDll Installation, LanManServer Registry Modify, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, Chafer (APT 39) Activity, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, StoneDrill Service Install, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, APT29 Fake Google Update Service Install, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, StoneDrill Service Install, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, APT29 Fake Google Update Service Install, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Correlation Impacket Smbexec, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Metasploit PSExec Service Creation, Spoolsv Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Windows Suspicious Service Creation, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, Suspicious CommandLine Lsassy Pattern, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key, LSASS Memory Dump, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Turla Named Pipes, Detection of default Mimikatz banner, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMI DLL Loaded Via Office, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Correlation Impacket Smbexec, Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Lsass Access Through WinRM, Cobalt Strike Default Service Creation Usage, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Dynwrapx Module Loading, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Python Opening Ports, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation, PowerView commandlets 1"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Remote Task Creation Via ATSVC Named Pipe, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious TGS requests (Kerberoasting), Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack, Suspicious Outbound Kerberos Connection, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution, Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 2, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Download File On Cloud Storage Through Command Line, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Audit CVE Event, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, EvilProxy Phishing Domain"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Denied Access To Remote Desktop, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Dscl Authonly"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Admin User RDP Remote Logon"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_94d4ef59-638c-4230-b38d-e4a1381db8ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_94d4ef59-638c-4230-b38d-e4a1381db8ed_do_not_edit_manually.json
index eae023afa8..b069799a5f 100644
--- a/_shared_content/operations_center/detection/generated/attack_94d4ef59-638c-4230-b38d-e4a1381db8ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_94d4ef59-638c-4230-b38d-e4a1381db8ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x One Identity SPS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x One Identity SPS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index d27e9ef078..2afe171adf 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
index 4f393cd27e..b02defe856 100644
--- a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench high Severity Alert, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Trend Micro Vision One Workbench Low Severity Alert, Trend Micro Vision One Workbench Medium Severity Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, Sigma Intelligence ErrTraffic PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, PowerShell Suspicious Context Changes, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Trend Micro Vision One Workbench Critical Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench high Severity Alert, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Trend Micro Vision One Workbench Low Severity Alert, ISO LNK Infection Chain, Trend Micro Vision One Workbench Medium Severity Alert, Trend Micro Vision One Workbench Critical Severity Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench high Severity Alert, Usage Of Sysinternals Tools, Trend Micro Vision One Workbench Low Severity Alert, PsExec Process, Trend Micro Vision One Workbench Medium Severity Alert, Trend Micro Vision One Workbench Critical Severity Alert, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Linux Masquerading Space After Name, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands, Shadow Copies"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, Sigma Intelligence ErrTraffic PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, PowerShell Malicious PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, WMIC Uninstall Product, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Trend Micro Vision One Workbench high Severity Alert, PowerShell Suspicious Context Changes, Socat Relaying Socket, Mustang Panda Dropper, Trend Micro Vision One Workbench Critical Severity Alert, Suspicious Microsoft Defender Antivirus Exclusion Command, Trend Micro Vision One Workbench Medium Severity Alert, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Trend Micro Vision One Workbench Low Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Trend Micro Vision One Workbench high Severity Alert, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Trend Micro Vision One Workbench Low Severity Alert, Trend Micro Vision One Workbench Critical Severity Alert, Trend Micro Vision One Workbench Medium Severity Alert, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench high Severity Alert, PsExec Process, Usage Of Sysinternals Tools, Trend Micro Vision One Workbench Low Severity Alert, Trend Micro Vision One Workbench Critical Severity Alert, Usage Of Procdump With Common Arguments, Trend Micro Vision One Workbench Medium Severity Alert"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 1ad3a898fe..23f3eeab04 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Activity"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Activity"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Critical Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index e713511ff3..4e30d34608 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99a97295-dad0-4deb-af50-521c76cad45d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99a97295-dad0-4deb-af50-521c76cad45d_do_not_edit_manually.json
index 03aa943545..76375b74cc 100644
--- a/_shared_content/operations_center/detection/generated/attack_99a97295-dad0-4deb-af50-521c76cad45d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99a97295-dad0-4deb-af50-521c76cad45d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index b8c1cb0dea..fd10752432 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, FlowCloud Malware, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, New Service Creation, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, New Service Creation, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Windows Update LolBins, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, PsExec Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Suspicious DNS Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Correlation PowerShell Suspicious DLL Loading, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Attempt to Disable Gatekeeper Execution Control, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Mshta Command From A Scheduled Task, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, IcedID Execution Using Excel, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Searchprotocolhost Child Found, Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 895e0367c8..ab78c343f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert (Critical Severity), Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), ISO LNK Infection Chain, HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Ursnif Registry Key, DHCP Callout DLL Installation, FlowCloud Malware, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Download File On Cloud Storage Through Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Download File On Cloud Storage Through Command Line, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), ISO LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains, Palo Alto Cortex XDR (EDR) Alert (Critical Severity)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Download File On Cloud Storage Through Command Line, Suspicious Windows DNS Queries"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index 3a7bbb85c5..6b4ecd7ef6 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index fb1141e472..4a69461b13 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, HTA Infection Chains, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Malware Detection, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Cybereason EDR Alert"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Cybereason EDR Alert, HTA Infection Chains"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Malware Detection, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 89e4e6c1a3..c19005dea5 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index dbdb1fdf96..93588e7d21 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index 264469aba0..9d3ff2d8f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Adidnsdump Enumeration, Internet Scanner, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Python HTTP Server, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious URL Requested By Curl Or Wget Commands, User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, ACLight Discovering Privileged Accounts, Internet Scanner"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index a216b06e1b..6b2df0ba88 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index ec633cfc62..cfd79f92dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 29249c8024..ef7d7f370b 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a3617bc2-090f-44f6-aeb2-1c6088e24878_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a3617bc2-090f-44f6-aeb2-1c6088e24878_do_not_edit_manually.json
index 3044bab229..fbcbf08a3d 100644
--- a/_shared_content/operations_center/detection/generated/attack_a3617bc2-090f-44f6-aeb2-1c6088e24878_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a3617bc2-090f-44f6-aeb2-1c6088e24878_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace (Graph API)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace (Graph API)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a6de059b-27c5-41a6-a881-59cde4a88d9b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a6de059b-27c5-41a6-a881-59cde4a88d9b_do_not_edit_manually.json
index 20775f22fe..faa338ab3e 100644
--- a/_shared_content/operations_center/detection/generated/attack_a6de059b-27c5-41a6-a881-59cde4a88d9b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a6de059b-27c5-41a6-a881-59cde4a88d9b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BeyondTrust PRA Vault Account Activity [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BeyondTrust PRA Vault Account Activity [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.json
index 2c47228385..065772c836 100644
--- a/_shared_content/operations_center/detection/generated/attack_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x GraphAPI for Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x GraphAPI for Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
index 3bfe0c6f51..fa935ec9d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OCSF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, SolarWinds Wrong Child Process, PsExec Process, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Suspicious DNS Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Winword Document Droppers, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Download File On Cloud Storage Through Command Line, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Download File On Cloud Storage Through Command Line, SEKOIA.IO Intelligence Feed, Python HTTP Server, LokiBot Default C2 URL"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, CVE-2021-34473 ProxyShell Attempt, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OCSF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Download File On Cloud Storage Through Command Line, TrevorC2 HTTP Communication, Cobalt Strike DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Suspicious Outlook Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, Netsh RDP Port Opening, ETW Tampering, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Download File On Cloud Storage Through Command Line, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index abd51041e8..090c667f85 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index be843c90bd..4ab84da669 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index ea355622bd..629c9e3a44 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius, FreeRADIUS Failed Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius, FreeRADIUS Failed Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b02a2580-3457-49fd-9991-bae9d2fe7768_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b02a2580-3457-49fd-9991-bae9d2fe7768_do_not_edit_manually.json
index ab65a85ed7..f3cb2b6a1e 100644
--- a/_shared_content/operations_center/detection/generated/attack_b02a2580-3457-49fd-9991-bae9d2fe7768_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b02a2580-3457-49fd-9991-bae9d2fe7768_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Management Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Management Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index cff3c5613d..38a98fbfb0 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b21d2080-03e4-4d8c-a175-83691c1e071c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b21d2080-03e4-4d8c-a175-83691c1e071c_do_not_edit_manually.json
index 98c58e22de..5bcf9e5122 100644
--- a/_shared_content/operations_center/detection/generated/attack_b21d2080-03e4-4d8c-a175-83691c1e071c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b21d2080-03e4-4d8c-a175-83691c1e071c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Nozomi Vantage", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Nozomi Vantage", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index e69f94eab7..4cea0b0a5e 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 6fedb142d8..9b8d121607 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One Medium Intrusion"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
index aee20f0d0a..44481841b9 100644
--- a/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Singularity Identity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Generic-reverse-shell-oneliner, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Screenconnect Remote Execution, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Web Application Launching Shell, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, New Service Creation, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, New Service Creation, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, HTA Infection Chains, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Correlation PowerShell Suspicious DLL Loading, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Singularity Identity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Smss Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, New Service Creation, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Smss Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, New Service Creation, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 19fe4705dd..5b841b53d6 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 920c2119e0..a1045c51bc 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Adidnsdump Enumeration, Internet Scanner"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Trellix Network Security Threat Notified, Potential Lemon Duck User-Agent, Trellix Network Security Threat Blocked, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Trellix Network Security Threat Notified, Potential LokiBot User-Agent, Trellix Network Security Threat Blocked, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_baf03007-4fbc-427e-a966-fa50cbe77856_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_baf03007-4fbc-427e-a966-fa50cbe77856_do_not_edit_manually.json
index 30bfc2b0b3..3bd94019b1 100644
--- a/_shared_content/operations_center/detection/generated/attack_baf03007-4fbc-427e-a966-fa50cbe77856_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_baf03007-4fbc-427e-a966-fa50cbe77856_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Nozomi CMC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Correlation Potential DNS Tunnel, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Nozomi CMC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bb71a257-e2cc-419c-b210-ab23cf731b3a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bb71a257-e2cc-419c-b210-ab23cf731b3a_do_not_edit_manually.json
index 20d01c1e03..6443fdf50d 100644
--- a/_shared_content/operations_center/detection/generated/attack_bb71a257-e2cc-419c-b210-ab23cf731b3a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bb71a257-e2cc-419c-b210-ab23cf731b3a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x PRODAFT USTA Cyber Threat Intelligence Platform", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x PRODAFT USTA Cyber Threat Intelligence Platform", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index f113df23b2..fdc5bb4450 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, Gatewatcher AionIQ Network Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Sliver DNS Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert, Gatewatcher AionIQ Network Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 5759971948..bba4aeaa21 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index a59a3faa3c..5f1fc21bee 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 875020c569..26e83df3f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Login Brute-Force Successful On SentinelOne EDR Management Console, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, PowerShell Credential Prompt, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, Generic-reverse-shell-oneliner, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, Sysprep On AppData Folder, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, Malicious Service Installations, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Unsigned Driver Loaded From Suspicious Location, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Evil Winrm Modules Execution, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, FlowCloud Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Chafer (APT 39) Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Ursnif Registry Key, Blue Mockingbird Malware, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Powershell Web Request And Windows Script, Sigma Intelligence ErrTraffic PowerShell Command Line, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Suspicious Context Changes, Screenconnect Remote Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added To Admin Group Via Cmd"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Gpscript Suspicious Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Wininit Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Smbexec.py Service Installation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, SolarWinds Suspicious File Creation, Malicious Service Installations, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, WMI Event Subscription, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Powershell Suspicious Startup Shortcut Persistence, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Svchost Modification"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Login Brute-Force Successful On SentinelOne EDR Management Console, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Adidnsdump Enumeration, Internet Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Trickbot Malware Activity, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Outlook Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Taskhost Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, SolarWinds Suspicious File Creation, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Winrshost Wrong Parent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Cryptomining, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Attempt to Disable Gatekeeper Execution Control, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Unsigned Driver Loaded From Suspicious Location, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Evil Winrm Modules Execution, ETW Tampering, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Chflags Hidden, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands, SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Chafer (APT 39) Activity"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Windows Defender Logging Modification Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, LanManServer Registry Modify, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, FlowCloud Malware, Chafer (APT 39) Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Svchost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Powershell Suspicious Startup Shortcut Persistence"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Sigma Intelligence ErrTraffic PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Suspicious Context Changes, Evil Winrm Modules Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, MMC20 Lateral Movement, Smbexec.py Service Installation, MMC Spawning Windows Shell"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, EvilProxy Phishing Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Admin User RDP Remote Logon, User Added To Admin Group Via Cmd, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Evil Winrm Modules Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index 7c5dbb7917..5adefcd2a5 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index 20f424e5cc..a60c89881a 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3621017-d090-44c8-af7a-9408332a15d0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3621017-d090-44c8-af7a-9408332a15d0_do_not_edit_manually.json
index 3421575275..575d501118 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3621017-d090-44c8-af7a-9408332a15d0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3621017-d090-44c8-af7a-9408332a15d0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Private Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Private Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index feedf8f40d..3158da813c 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c47d2c82-494e-400c-b804-d68fb7a60859_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c47d2c82-494e-400c-b804-d68fb7a60859_do_not_edit_manually.json
index 0967cd87c5..15ed024381 100644
--- a/_shared_content/operations_center/detection/generated/attack_c47d2c82-494e-400c-b804-d68fb7a60859_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c47d2c82-494e-400c-b804-d68fb7a60859_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x PingFederate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x PingFederate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
index 85d02a7026..b3b686df16 100644
--- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 519a79368b..e191c5e8e2 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Email Attachment Received, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 Security and Compliance Center Medium Severity Alert, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 Security and Compliance Center High Severity Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, RDP Configuration File From Mail Process, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Suspicious Double Extension, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Download Links From Legitimate Services, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) DLP Policy Removed, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, HTA Infection Chains, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, ISO LNK Infection Chain, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised Via Seamless SSO Credential Testing, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Microsoft 365 Authenticated Activity From Tor IP Address, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Microsoft 365 Authenticated Activity From Tor IP Address, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, ZIP LNK Infection Chain, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, HTA Infection Chains, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, ISO LNK Infection Chain, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Detection Velocity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 Security and Compliance Center High Severity Alert, RDP Configuration File From Mail Process, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) AtpDetection, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Microsoft 365 Security and Compliance Center Medium Severity Alert, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Detection Velocity, Possible Malicious File Double Extension"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool), Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised Via Seamless SSO Credential Testing, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, RDP Configuration File From Mail Process, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cc1b212e-80c2-4dde-8446-2e194c6d4e80_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cc1b212e-80c2-4dde-8446-2e194c6d4e80_do_not_edit_manually.json
index 36cd3d35fc..5de93dd97a 100644
--- a/_shared_content/operations_center/detection/generated/attack_cc1b212e-80c2-4dde-8446-2e194c6d4e80_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cc1b212e-80c2-4dde-8446-2e194c6d4e80_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Keycloak Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Keycloak Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Defender Antivirus Threat Detected, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, PsExec Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ce4ab9ba-4ed7-420d-af30-f144229f37ee_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ce4ab9ba-4ed7-420d-af30-f144229f37ee_do_not_edit_manually.json
index db68196264..8ddf089285 100644
--- a/_shared_content/operations_center/detection/generated/attack_ce4ab9ba-4ed7-420d-af30-f144229f37ee_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ce4ab9ba-4ed7-420d-af30-f144229f37ee_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo SAAS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo SAAS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index a8053ccbdc..99cb5e2322 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index db6598bbae..216dbb7ef4 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
index 232c65c01b..fddad04264 100644
--- a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitdefender GravityZone", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Bitdefender GravityZone Endpoint Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Bitdefender GravityZone Endpoint Detection, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Bitdefender GravityZone Endpoint Detection, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, Correlation Supicious Powershell Drop and Exec, Suspicious Taskkill Command, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitdefender GravityZone", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Bitdefender GravityZone Endpoint Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Bitdefender GravityZone Endpoint Detection, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Bitdefender GravityZone Endpoint Detection, SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, Invoke-TheHash Commandlets, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, Impacket Wmiexec Module, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 82c4322ee8..d0e5ca403f 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d1d24b7a-c6a7-482d-8334-affc0a11dedd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d1d24b7a-c6a7-482d-8334-affc0a11dedd_do_not_edit_manually.json
index f3cf25e47e..1426bec984 100644
--- a/_shared_content/operations_center/detection/generated/attack_d1d24b7a-c6a7-482d-8334-affc0a11dedd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d1d24b7a-c6a7-482d-8334-affc0a11dedd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 Distributed Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 Distributed Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index d2459d0dc7..d66ddcae6b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 8898d69f5d..e1ebfe735c 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Important Change, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail S3 Bucket Replication"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Password Policy Updated, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Disable MFA, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM DeleteSAMLProvider"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index ef558de94e..598174c160 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index 5dc73a8ddf..f8fe81b5e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On ArubaOS Switch"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On ArubaOS Switch"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On ArubaOS Switch"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On ArubaOS Switch"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index 50e6bc6b76..0e56e01d04 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index 7ca23ec83f..170cfd90b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index fb099afca0..1fa1b60a39 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_daa275af-af18-42e5-9c8d-e3191c4ac7fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_daa275af-af18-42e5-9c8d-e3191c4ac7fa_do_not_edit_manually.json
index 928ecb986e..d6dd5a4dcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_daa275af-af18-42e5-9c8d-e3191c4ac7fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_daa275af-af18-42e5-9c8d-e3191c4ac7fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x NeroSwarm Honeypot", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x NeroSwarm Honeypot", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
index 3b7f514f36..6852787a5b 100644
--- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index ac6390bf34..019d49cac7 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat, ISO LNK Infection Chain, HTA Infection Chains, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat, ISO LNK Infection Chain, HTA Infection Chains, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, ZIP LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Cobalt Strike DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index 2b7c8cc970..94bab10ec0 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, Phorpiex Process Masquerading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Systancia Cleanroom Brute Force"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Masquerading Space After Name, Phorpiex Process Masquerading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Systancia Cleanroom Brute Force"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de3bfaa0-8ed4-4b5a-b3fa-bd82b7744a9a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de3bfaa0-8ed4-4b5a-b3fa-bd82b7744a9a_do_not_edit_manually.json
index 8bfc2e3920..63bffec719 100644
--- a/_shared_content/operations_center/detection/generated/attack_de3bfaa0-8ed4-4b5a-b3fa-bd82b7744a9a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de3bfaa0-8ed4-4b5a-b3fa-bd82b7744a9a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Wiz Issues", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1651", "score": 100, "comment": "Rules: WIZ Issues Critical Alert Raised"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Wiz Issues", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1651", "score": 100, "comment": "Rules: WIZ Issues Critical Alert Raised"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index d708cdb68f..f8a69e6dc8 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Web Isolation On Suspicious Domain, Netskope Admin Audit High Severity, Netskope Malware Detected, Netskope Malware Patient Zero Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Web Isolation On Suspicious Domain, Netskope Admin Audit High Severity, Netskope Successful Brute Force On Protected Applications, Netskope Malware Patient Zero Detected, Netskope Successful Brute-Force On Management Console, Netskope Malware Detected, Netskope Potential Brute Force On Protected Applications"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alerts Compliance, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Netskope Successful Brute-Force On Management Console, Netskope Potential Brute Force On Protected Applications, Netskope Successful Brute Force On Protected Applications"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alerts Compliance"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Malware Detected, Netskope Malware Patient Zero Detected, Netskope Web Isolation On Suspicious Domain, Netskope Admin Audit High Severity"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Malware Detected, Netskope Successful Brute Force On Protected Applications, Netskope Malware Patient Zero Detected, Netskope Successful Brute-Force On Management Console, Netskope Potential Brute Force On Protected Applications, Netskope Web Isolation On Suspicious Domain, Netskope Admin Audit High Severity"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Netskope Successful Brute Force On Protected Applications, Netskope Successful Brute-Force On Management Console, Netskope Potential Brute Force On Protected Applications"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e04c988c-cbb7-4b6a-8025-7b80a301ac28_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e04c988c-cbb7-4b6a-8025-7b80a301ac28_do_not_edit_manually.json
index ee12980ad7..252505452b 100644
--- a/_shared_content/operations_center/detection/generated/attack_e04c988c-cbb7-4b6a-8025-7b80a301ac28_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e04c988c-cbb7-4b6a-8025-7b80a301ac28_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Next Generation Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Next Generation Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index c333d0a60c..9e082ccc4f 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e129243d-0eeb-4b4c-a0f6-f15051b04a7e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e129243d-0eeb-4b4c-a0f6-f15051b04a7e_do_not_edit_manually.json
index f272ac75b4..da4b9fc520 100644
--- a/_shared_content/operations_center/detection/generated/attack_e129243d-0eeb-4b4c-a0f6-f15051b04a7e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e129243d-0eeb-4b4c-a0f6-f15051b04a7e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CyberArk Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Cookies Deletion, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CyberArk Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Cookies Deletion, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index f9e9297d1b..df9a434931 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spam Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Phishing Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6b9c357-7a55-4c9d-8898-ab6112dd52c3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6b9c357-7a55-4c9d-8898-ab6112dd52c3_do_not_edit_manually.json
index 79e7e450b3..466f2a368b 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6b9c357-7a55-4c9d-8898-ab6112dd52c3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6b9c357-7a55-4c9d-8898-ab6112dd52c3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lookout Mobile Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lookout Mobile Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 1cd252c01e..47f03ba2b9 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Many Passwords Reset Attempt, Okta Unauthorized Access to App, Okta Access To Admin Console Denied, Okta Suspicious Activity Reported"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deactivated, Okta Network Zone Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta MFA Disabled, Okta Network Zone Deactivated, Okta Blacklist Manipulations"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Impersonation Access, Okta User Account Deactivated, Okta Application modified, Okta Application deleted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Okta MFA Brute-Force Successful, Login Brute-Force Successful On Okta"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Okta MFA Brute-Force Successful, Login Brute-Force Successful On Okta"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application deleted, Okta User Impersonation Access, Okta Application modified, Okta User Account Deactivated, Okta Admin Privilege Granted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Security Threat Configuration Updated, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta MFA Disabled"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit, Okta MFA Bypass Attempt"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Access To Admin Console Denied, Okta Suspicious Activity Reported, Okta Many Passwords Reset Attempt, Okta Unauthorized Access to App"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
index 30ed9577d0..f7ad2fa682 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 235cd565b0..8a74740cf2 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
index e8f3d3dfdc..80ed026b8d 100644
--- a/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Prisma access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions, WAF Correlation Block Multiple Destinations"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations, WAF Correlation Block actions"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Adidnsdump Enumeration, Internet Scanner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Prisma access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Block Rule, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 2b08dc6623..53d193c70e 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, HTA Infection Chains"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ec7fd978-5526-42c8-acd5-e1b4aa752a73_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ec7fd978-5526-42c8-acd5-e1b4aa752a73_do_not_edit_manually.json
index 036438d231..a14b51eccb 100644
--- a/_shared_content/operations_center/detection/generated/attack_ec7fd978-5526-42c8-acd5-e1b4aa752a73_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ec7fd978-5526-42c8-acd5-e1b4aa752a73_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Seckiot Citadelle", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Seckiot Citadelle", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ece8311e-0e93-4ca8-9aa0-4ef2e19618df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ece8311e-0e93-4ca8-9aa0-4ef2e19618df_do_not_edit_manually.json
index 006ffe1f0c..70c94febd4 100644
--- a/_shared_content/operations_center/detection/generated/attack_ece8311e-0e93-4ca8-9aa0-4ef2e19618df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ece8311e-0e93-4ca8-9aa0-4ef2e19618df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Aleph Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Aleph Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 8532b7e963..c007ced0d9 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 05ef87c7a3..e49984d539 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index e000f1bf11..1672bb79b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 7865c28607..9c3253eaa3 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 1855284d00..4c47e5c8c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f1eb2bd3-dd6d-4b41-b3be-80874d1bd2d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f1eb2bd3-dd6d-4b41-b3be-80874d1bd2d5_do_not_edit_manually.json
index 2ee996c359..0c9caa6b7d 100644
--- a/_shared_content/operations_center/detection/generated/attack_f1eb2bd3-dd6d-4b41-b3be-80874d1bd2d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f1eb2bd3-dd6d-4b41-b3be-80874d1bd2d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Akamai Guardicore Cloud [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Akamai Guardicore Cloud [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 7543477429..4ad43c443e 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index e5cb88a3fd..71bc9dfc69 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Trickbot Malware Activity, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Web Application Launching Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Mshta Suspicious Child Process, Screenconnect Remote Execution, Sysprep On AppData Folder, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Correlation Netcat Infection Chain, Microsoft Office Spawning Script, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Stormshield Ses Emergency Block, IcedID Execution Using Excel, HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Critical Block, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading, MS Office Product Spawning Exe in User Dir, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Spawning Script, Stormshield Ses Critical Not Block"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Malware Protection Engine Crash, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Mshta Command From A Scheduled Task, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, VSCode Tunnel Shell Exec, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, Screenconnect Remote Execution, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, Web Application Launching Shell, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, New Service Creation, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Smss Wrong Parent, Gpscript Suspicious Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, Csrss Child Found, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Rare Logonui Child Found, OneNote Suspicious Children Process, Dllhost Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, WMI Event Subscription, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Screenconnect Remote Execution, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Winword Document Droppers, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, System Network Connections Discovery, Internet Scanner, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Dscl Authonly, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Web Application Launching Shell, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Trickbot Malware Activity, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Suspicious Outlook Child Process, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, JS PowerShell Infection Chains, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Bash Reverse Shell, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Stormshield Ses Critical Block, ZIP LNK Infection Chain, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Stormshield Ses Emergency Block, Cobalt Strike Default Beacons Names, Stormshield Ses Critical Not Block, Suspicious Outlook Child Process, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Correlation PowerShell Suspicious DLL Loading, ISO LNK Infection Chain, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Attempt to Disable Gatekeeper Execution Control, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Mshta Command From A Scheduled Task, Svchost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Linux Suspicious Auto-start Desktop Shortcut Execution, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Correlation Post Exploitation Patterns Via Winrm, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.013", "score": 100, "comment": "Rules: Linux Suspicious Auto-start Desktop Shortcut Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, Screenconnect Remote Execution, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Mshta Command From A Scheduled Task, Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Mshta Command From A Scheduled Task, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Windows Update LolBins, Taskhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Rare Lsass Child Found, Logonui Wrong Parent, Searchindexer Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments, Csrss Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, VSCode Tunnel Shell Exec, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, MOFComp Execution, Suspicious Windows Installer Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Screenconnect Remote Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Mustang Panda Dropper, Web Application Launching Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Internet Scanner, System Network Connections Discovery, Adidnsdump Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.008", "score": 100, "comment": "Rules: Correlation Post Exploitation Patterns Via Winrm"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added To Admin Group Via Cmd, Account Removed From A Security Enabled Group, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Generic Password Discovery, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1555.001", "score": 100, "comment": "Rules: Generic Password Discovery"}, {"techniqueID": "T1563.001", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1563", "score": 100, "comment": "Rules: Potential macOS SSH Brute Force Detected"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5ec9a05-7a5c-48a7-8898-057387d7c5d4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5ec9a05-7a5c-48a7-8898-057387d7c5d4_do_not_edit_manually.json
index 65ac6ea9f7..73a5cd468e 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5ec9a05-7a5c-48a7-8898-057387d7c5d4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5ec9a05-7a5c-48a7-8898-057387d7c5d4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Defender XDR (Graph API) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Powershell AMSI Bypass, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Trace Alteration, Copying Browser Files With Credentials, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Defender XDR (Graph API) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Disable .NET ETW Through COMPlus_ETWEnabled, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Scheduled Task Creation By Non Privileged User, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting, Office Application Startup Office Test"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5f05e2a-32fc-432d-9f00-11f490ae15f4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5f05e2a-32fc-432d-9f00-11f490ae15f4_do_not_edit_manually.json
index 01f6e28618..ed553e5ec5 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5f05e2a-32fc-432d-9f00-11f490ae15f4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5f05e2a-32fc-432d-9f00-11f490ae15f4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Correlation PowerShell Suspicious DLL Loading"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Package Manager Alteration, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, SELinux Disabling, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Package Manager Alteration, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Elevated Shell Launched By Browser"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Correlation PowerShell Suspicious DLL Loading, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f6cfddb4-543a-41fe-9802-c66b7c90366d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f6cfddb4-543a-41fe-9802-c66b7c90366d_do_not_edit_manually.json
index 22a585710b..8da4a520c7 100644
--- a/_shared_content/operations_center/detection/generated/attack_f6cfddb4-543a-41fe-9802-c66b7c90366d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f6cfddb4-543a-41fe-9802-c66b7c90366d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BeyondTrust Privileged Remote Access Session", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell EncodedCommand, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, Mustang Panda Dropper, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Names, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Linux Masquerading Space After Name, Phorpiex Process Masquerading, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Powershell AMSI Bypass, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, NetNTLM Downgrade Attack, Ursnif Registry Key, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, Blue Mockingbird Malware"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request And Windows Script, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery, Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Executions, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Executions, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BeyondTrust Privileged Remote Access Session", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, Mustang Panda Dropper, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.006", "score": 100, "comment": "Rules: Linux Masquerading Space After Name"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Linux Masquerading Space After Name, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NetNTLM Downgrade Attack, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, OceanLotus Registry Activity"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, Invoke-TheHash Commandlets, PowerShell EncodedCommand, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Tactical RMM Installation, Invoke-TheHash Commandlets, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Correlation Admin Files Checked On Network Share, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index cefb8cbc55..f5d3e2cd4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index a7e801c45d..1a4c002dd0 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Enable Root Account With Dsenableroot"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Correlation Admin Files Checked On Network Share"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index a6c07815d6..c8ec1a8a01 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fe9c462f-8907-4a4d-9a34-5ffff0a2c56f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fe9c462f-8907-4a4d-9a34-5ffff0a2c56f_do_not_edit_manually.json
index f9ecda87db..8e67eac522 100644
--- a/_shared_content/operations_center/detection/generated/attack_fe9c462f-8907-4a4d-9a34-5ffff0a2c56f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fe9c462f-8907-4a4d-9a34-5ffff0a2c56f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Barracuda CloudGen Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, QakBot Process Creation, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, FromBase64String Command Line, Python Offensive Tools and Packages, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell Commands Invocation, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Generic-reverse-shell-oneliner, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Aspnet Compiler, PowerShell EncodedCommand, MalwareBytes Uninstallation, Elise Backdoor, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Interactive Terminal Spawned via Python, Mustang Panda Dropper, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Correlation Netcat Infection Chain, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Attempt to Disable Gatekeeper Execution Control, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Debugging Software Deactivation, Netsh Port Opening, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SSH Reverse Socks, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Correlation Netcat Infection Chain"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, WCE wceaux.dll Creation, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery, WMI Fingerprint Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Correlation Netcat Infection Chain, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Rclone Process"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Shell PID Injection, Reconnaissance Commands Activities, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Shell PID Injection, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Shell PID Injection, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Chflags Hidden, Hiding Files With Attrib.exe"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Windows Defender Logging Modification Via Registry, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Explorer Process Executing HTA File, Control Panel Items, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Windows Sandbox Start, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI Install Of Binary, Tactical RMM Installation, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WerFaultSecure Abuse"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Mustang Panda Dropper, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, QakBot Process Creation, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Change Default File Association, COM Hijack Via Sdclt, Reconnaissance Commands Activities, Component Object Model Hijacking, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, FromBase64String Command Line, Powershell Web Request, Suspicious XOR Encoded PowerShell Command Line, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Powershell Web Request And Windows Script, JS PowerShell Infection Chains, Correlation Supicious Powershell Drop and Exec, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, AdFind Usage"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Empire Monkey Activity"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, System Network Connections Discovery, Internet Scanner, Remote System Discovery Via Telnet, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Exclude File From Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Enable Root Account With Dsenableroot, User Added To Admin Group Via Cmd, Dscl Authonly"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Barracuda CloudGen Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Suspicious VBS Execution Parameter, PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, PowerShell Downgrade Attack, Interactive Terminal Spawned via Python, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Netcat Infection Chain, WMIC Uninstall Product, Invoke-TheHash Commandlets, Lazarus Loaders, PowerShell Invoke Expression With Registry, Powershell Web Request, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Sysprep On AppData Folder, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Generic-reverse-shell-oneliner, Socat Relaying Socket, Mustang Panda Dropper, JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line, Suspicious XOR Encoded PowerShell Command Line, Aspnet Compiler, Linux Bash Reverse Shell, Malspam Execution Registering Malicious DLL, Suspicious File Name"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2, Shell PID Injection, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Powershell AMSI Bypass, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Dism Disabling Windows Defender, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Attempt to Disable Gatekeeper Execution Control, Netsh Port Opening, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Allow Command, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Correlation Netcat Infection Chain, Linux Bash Reverse Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Correlation Netcat Infection Chain, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SSH Reverse Socks, Socat Reverse Shell Detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket, Ngrok Process Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands, System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Kernel Module Alteration, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, Chflags Hidden, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, NlTest Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, Powershell Web Request And Windows Script, Suspicious Taskkill Command, FromBase64String Command Line, PowerShell EncodedCommand, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), JS PowerShell Infection Chains, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WerFaultSecure Abuse, Tactical RMM Installation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI Fingerprint Commands, Windows Sandbox Start, Wmic Process Call Creation, Wmic Service Call, WMImplant Hack Tool, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regsvr32 Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Tmutil Delete Backups, Commonly Used Commands To Stop Services And Remove Backups, Tmutil Disabled, Inhibit System Recovery Deleting Backups, Tmutil Exclude File From Backups, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Internet Scanner, System Network Connections Discovery, Adidnsdump Enumeration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, HTA Infection Chains"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Executions, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript), Startup Item Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, JS PowerShell Infection Chains, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Chflags Hidden"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd, Enable Root Account With Dsenableroot, Dscl Authonly"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: User Added To Admin Group Via Cmd"}, {"techniqueID": "T1037.005", "score": 100, "comment": "Rules: Startup Item Created"}, {"techniqueID": "T1056", "score": 100, "comment": "Rules: AppleScript Password Prompt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index da9943bcac..be127896b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff575606-1cec-4d9f-8e08-d02dd9100af8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff575606-1cec-4d9f-8e08-d02dd9100af8_do_not_edit_manually.json
index 1fd5e20a27..fcc144993c 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff575606-1cec-4d9f-8e08-d02dd9100af8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff575606-1cec-4d9f-8e08-d02dd9100af8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Advanced Threat Defense", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Advanced Threat Defense", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 10655fc22e..e1ab9da696 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Changelog _last update on 2026-06-04_
+Changelog _last update on 2026-06-11_
 
 ## Changelog
 
@@ -6,23 +6,31 @@ Changelog _last update on 2026-06-04_
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
   - 13/09/2024 - major - Update service name value following Microsoft change
     
-### Microsoft Defender XDR Entra ID Protection Alert
+### Microsoft Defender XDR Endpoint Alert
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
-  - 12/11/2025 - minor - Update rule type to integration
     
-### Microsoft Defender XDR Cloud App Security Alert
+### Microsoft Defender XDR Entra ID Protection Alert
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
-  - 13/09/2024 - major - Update service name value following Microsoft change
+  - 12/11/2025 - minor - Update rule type to integration
     
-### Microsoft Defender XDR Endpoint Alert
+### Microsoft Defender XDR Office 365 Alert
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
     
 ### Microsoft Defender XDR Data Loss Prevention Alert
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
   - 12/11/2025 - minor - Update rule type to integration
     
-### Microsoft Defender XDR Office 365 Alert
+### Microsoft Defender XDR Cloud App Security Alert
   - 03/06/2026 - major - Added a new condition to match only on alerts to avoid false positives.
+  - 13/09/2024 - major - Update service name value following Microsoft change
+    
+### Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses
+  - 01/06/2026 - minor - Adding more filter and review group-by clause to reduce false positives
+    
+### Microsoft 365 Sign-in With No User Agent
+  - 01/06/2026 - minor - Adding filter on user_type code to reduce false positives
+  - 10/04/2025 - minor - Exclude more error codes to reduce false positives
+  - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure
     
 ### Login Brute-Force Successful On AzureAD From Single IP Address
   - 01/06/2026 - minor - Adding error code as filters to reduce false positives.
@@ -32,21 +40,13 @@ Changelog _last update on 2026-06-04_
   - 16/08/2024 - minor - The error code 50078 has been excluded as it is not a specific error code related to a login failure that we want to detect and caused several false positives.
   - 23/03/2023 - minor - The error code 50076 has been excluded as it is not a specific error code related to a login failure that we want to detect and caused several false positives.
     
-### Microsoft 365 Sign-in With No User Agent
-  - 01/06/2026 - minor - Adding filter on user_type code to reduce false positives
-  - 10/04/2025 - minor - Exclude more error codes to reduce false positives
-  - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure
-    
-### Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses
-  - 01/06/2026 - minor - Adding more filter and review group-by clause to reduce false positives
-    
 ### Proofpoint TAP Email Classified As Phishing But Allowed
   - 01/06/2026 - major - Adding a new selection for "click" events as they do not have a threat score. Effort level adapted as well since this is now an integration rule.
     
-### Proofpoint TAP Email Classified As Malware But Allowed
+### Proofpoint TAP Email Classified As Spam But Allowed
   - 01/06/2026 - major - Adding a new selection for "click" events as they do not have a threat score. Effort level adapted as well since this is now an integration rule.
     
-### Proofpoint TAP Email Classified As Spam But Allowed
+### Proofpoint TAP Email Classified As Malware But Allowed
   - 01/06/2026 - major - Adding a new selection for "click" events as they do not have a threat score. Effort level adapted as well since this is now an integration rule.
     
 ### User Added to Local Administrators
@@ -67,78 +67,73 @@ Changelog _last update on 2026-06-04_
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
   - 16/05/2024 - minor - add pattern to extend and improve detection
     
-### Broadcom/Symantec Endpoint Security Event Terminate
+### Sophos EDR Application Detected
   - 18/03/2026 - minor - Update rule type to integration
     
-### Sophos EDR Application Blocked
+### WithSecure Elements Warning Severity
   - 18/03/2026 - minor - Update rule type to integration
+  - 07/04/2025 - minor - Similarity strategy changed to avoid too much grouping
     
-### Stormshield Ses Emergency Block
+### Stormshield Ses Critical Not Block
   - 18/03/2026 - minor - Update rule type to integration
     
-### Stormshield Ses Critical Block
+### Sophos EDR CorePUA Clean
   - 18/03/2026 - minor - Update rule type to integration
     
-### Bitdefender GravityZone Endpoint Detection
+### Stormshield Ses Critical Block
   - 18/03/2026 - minor - Update rule type to integration
     
-### Sophos EDR CorePUA Detection
+### Stormshield Ses Emergency Block
   - 18/03/2026 - minor - Update rule type to integration
     
-### Stormshield Ses Critical Not Block
+### Bitdefender GravityZone Endpoint Detection
   - 18/03/2026 - minor - Update rule type to integration
     
-### Broadcom/Symantec Endpoint Security Event Blocked
+### Broadcom/Symantec Endpoint Security Event Cleaned
   - 18/03/2026 - minor - Update rule type to integration
     
-### WithSecure Elements Warning Severity
+### Sophos EDR CorePUA Detection
   - 18/03/2026 - minor - Update rule type to integration
-  - 07/04/2025 - minor - Similarity strategy changed to avoid too much grouping
     
 ### Broadcom/Symantec Endpoint Security Event Quarantined
   - 18/03/2026 - minor - Update rule type to integration
     
-### Sophos EDR Application Detected
+### Broadcom/Symantec Endpoint Security Event Terminate
   - 18/03/2026 - minor - Update rule type to integration
     
-### Broadcom/Symantec Endpoint Security Event Cleaned
+### Sophos EDR Application Blocked
   - 18/03/2026 - minor - Update rule type to integration
     
-### Sophos EDR CorePUA Clean
+### Broadcom/Symantec Endpoint Security Event Blocked
   - 18/03/2026 - minor - Update rule type to integration
     
-### HarfangLab EDR Critical Threat
+### HarfangLab EDR Low Threat
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
-  - 23/12/2024 - minor - Change alert severity
     
 ### HarfangLab EDR Low Level Rule Detection
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
   - 23/05/2024 - minor - Added filter to exclude threat dataset
     
-### HarfangLab EDR High Threat
+### HarfangLab EDR High Level Rule Detection
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
-  - 23/12/2024 - minor - Change alert severity
+  - 23/05/2024 - minor - Added filter to exclude threat dataset
     
 ### HarfangLab EDR Suspicious Process Behavior Has Been Detected
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
     
-### HarfangLab EDR Hlai Engine Detection
-  - 12/03/2026 - minor - Update rule type to integration
-  - 16/01/2025 - minor - Adding format field to improve rules mapping
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-    
 ### HarfangLab EDR Critical Level Rule Detection
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
   - 23/05/2024 - minor - Added filter to exclude threat dataset
     
-### HarfangLab EDR Low Threat
+### HarfangLab EDR Medium Level Rule Detection
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
+  - 23/05/2024 - minor - Added filter to exclude threat dataset
     
 ### HarfangLab EDR Process Execution Blocked (HL-AI engine)
   - 12/03/2026 - minor - Update rule type to integration
@@ -146,101 +141,106 @@ Changelog _last update on 2026-06-04_
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
   - 10/01/2024 - major - Account for all blocks instead of only "Startup blocked". Rule name explicitly mentions HL-AI engine.
     
-### HarfangLab EDR Medium Level Rule Detection
+### HarfangLab EDR High Threat
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
-  - 23/05/2024 - minor - Added filter to exclude threat dataset
+  - 23/12/2024 - minor - Change alert severity
     
-### HarfangLab EDR High Level Rule Detection
+### HarfangLab EDR Medium Threat
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
-  - 23/05/2024 - minor - Added filter to exclude threat dataset
     
-### HarfangLab EDR Medium Threat
+### HarfangLab EDR Hlai Engine Detection
   - 12/03/2026 - minor - Update rule type to integration
   - 16/01/2025 - minor - Adding format field to improve rules mapping
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Darktrace Threat Visualizer Threat Critical Alert
+### HarfangLab EDR Critical Threat
+  - 12/03/2026 - minor - Update rule type to integration
+  - 16/01/2025 - minor - Adding format field to improve rules mapping
+  - 23/12/2024 - minor - Change alert severity
+    
+### Daspren Parad Malicious Behavior
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Shellcode Detect
+### Gatewatcher AionIQ V103 Dga Detect
   - 05/03/2026 - minor - Update rule type to integration
     
 ### Claroty xDome Network Threat Detection Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Datadome Protection Intrusion Detection
+### Suricata Attempted Administrator Privilege Gain High Severity Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Suricata Exploit Kit Activity Detected High Severity Alert
+### Gatewatcher AionIQ V103 Network Behavior Analytics
   - 05/03/2026 - minor - Update rule type to integration
     
-### Suricata Web Application Attack High Severity Alert
+### Gatewatcher AionIQ V103 Retrohunt
   - 05/03/2026 - minor - Update rule type to integration
+  - 30/06/2025 - minor - Changing similarity on threat name.
     
-### Gatewatcher AionIQ Network Alert
+### Gatewatcher AionIQ Malware Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Malicious Powershell Detect
+### Gatewatcher AionIQ V103 Malcore
   - 05/03/2026 - minor - Update rule type to integration
+  - 27/01/2025 - minor - Changing field and adding filter to reduce false positives.
+  - 24/01/2025 - minor - Adding filter to reduce false positives.
     
-### Darktrace Threat Visualizer Threat Suspicious Alert
+### Suricata Exploit Kit Activity Detected High Severity Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Sigflow Alert
+### Gatewatcher AionIQ V103 Malicious Powershell Detect
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Network Behavior Analytics
+### Gatewatcher AionIQ V103 Beacon Detect
   - 05/03/2026 - minor - Update rule type to integration
     
-### Daspren Parad Malicious Behavior
+### Darktrace Threat Visualizer Threat Suspicious Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ Malware Alert
+### Gatewatcher AionIQ V103 Shellcode Detect
   - 05/03/2026 - minor - Update rule type to integration
     
-### Suricata Attempted Administrator Privilege Gain High Severity Alert
+### Alert High Severity Sesame it Jizo NDR
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Beacon Detect
+### Gatewatcher AionIQ Network Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Retrohunt
+### Datadome Protection Intrusion Detection
   - 05/03/2026 - minor - Update rule type to integration
-  - 30/06/2025 - minor - Changing similarity on threat name.
     
-### Gatewatcher AionIQ V103 Ransomware Detect
+### Suricata Web Application Attack High Severity Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Dga Detect
+### Gatewatcher AionIQ V103 Active CTI
   - 05/03/2026 - minor - Update rule type to integration
     
-### Alert High Severity Sesame it Jizo NDR
+### Gatewatcher AionIQ V103 Sigflow Alert
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Active CTI
+### Gatewatcher AionIQ V103 Ransomware Detect
   - 05/03/2026 - minor - Update rule type to integration
     
-### Gatewatcher AionIQ V103 Malcore
+### Darktrace Threat Visualizer Threat Critical Alert
   - 05/03/2026 - minor - Update rule type to integration
-  - 27/01/2025 - minor - Changing field and adding filter to reduce false positives.
-  - 24/01/2025 - minor - Adding filter to reduce false positives.
     
 ### WAF Block Rule
   - 04/03/2026 - major - Removing intakes from the rule to make it more generic and match all WAF products. The sources and description fields were updated accordingly.
   - 15/11/2023 - minor - Adding support for Ubika
     
-### Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)
+### Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)
   - 04/03/2026 - minor - Similarity strategy updated to caseID
   - 25/02/2026 - minor - Update rule type to integration
   - 10/03/2025 - minor - Update severity to match the severity level from the editor
     
-### Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)
+### Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)
   - 04/03/2026 - minor - Similarity strategy updated to caseID
   - 25/02/2026 - minor - Update rule type to integration
   - 10/03/2025 - minor - Update severity to match the severity level from the editor
     
-### Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)
+### Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)
   - 04/03/2026 - minor - Similarity strategy updated to caseID
   - 25/02/2026 - minor - Update rule type to integration
   - 10/03/2025 - minor - Update severity to match the severity level from the editor
@@ -249,120 +249,117 @@ Changelog _last update on 2026-06-04_
   - 04/03/2026 - minor - Fix small typo in rule name.
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Netskope Web Isolation On Suspicious Domain
-  - 27/02/2026 - minor - Update rule type to integration
-    
-### AWS GuardDuty Low Severity Alert
-  - 27/02/2026 - minor - Update rule type to integration
-    
-### Darktrace Threat Visualizer Model Breach Suspicious Activity
+### Tenable Identity Exposure / Alsid Critical Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
-  - 02/07/2025 - minor - Update similarity
-  - 12/11/2024 - minor - Update name, description, similarity and severity
+  - 20/01/2025 - minor - Removing event fields to use the smart description
     
-### Varonis Data Security Intrusion Detection Low Severity Alert
+### AWS GuardDuty Medium Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### Netskope Admin Audit High Severity
   - 27/02/2026 - minor - Update rule type to integration
   - 29/01/2025 - minor - Rework pattern for high severity events only and filter out authentication events.
   - 28/03/2024 - minor - Rule effort was updated to master
     
-### Varonis Data Security Intrusion Detection Medium Severity Alert
-  - 27/02/2026 - minor - Update rule type to integration
-    
 ### Netskope DLP Alert
   - 27/02/2026 - minor - Update rule type to integration
   - 28/03/2024 - minor - Rule effort was updated to master
     
-### Tenable Identity Exposure / Alsid Critical Severity Alert
+### Varonis Data Security Intrusion Detection High Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
-  - 20/01/2025 - minor - Removing event fields to use the smart description
     
-### Lacework Cloud Security High Severity Alert
+### Varonis Data Security Intrusion Detection Medium Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
     
-### Tenable Identity Exposure / Alsid High Severity Alert
+### Lacework Cloud Security Critical Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
-  - 20/01/2025 - minor - Removing event fields to use the smart description
     
-### Varonis Data Security Email Medium Severity Alert
+### Fastly Next-Gen WAF Audit Threat Alert
   - 27/02/2026 - minor - Update rule type to integration
     
-### Darktrace Threat Visualizer Model Breach Critical Activity
+### WIZ Issues Critical Alert Raised
   - 27/02/2026 - minor - Update rule type to integration
-  - 02/07/2025 - minor - Update similarity
-  - 12/11/2024 - minor - Update name, description, similarity and severity
     
 ### Netskope Malware Patient Zero Detected
   - 27/02/2026 - minor - Update rule type to integration
     
-### WIZ Issues Critical Alert Raised
+### Lacework Cloud Security High Severity Alert
+  - 27/02/2026 - minor - Update rule type to integration
+    
+### Lacework Cloud Security Low Severity Alert
+  - 27/02/2026 - minor - Update rule type to integration
+    
+### Varonis Data Security Email High Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
     
 ### Netskope Malware Detected
   - 27/02/2026 - minor - Update rule type to integration
     
-### Lacework Cloud Security Medium Severity Alert
+### Netskope Alerts Compliance
   - 27/02/2026 - minor - Update rule type to integration
+  - 28/03/2024 - minor - Rule effort was updated to master
+  - 29/01/2024 - minor - Rework detection pattern to focus on compliance issues
     
-### Varonis Data Security Email High Severity Alert
+### AWS GuardDuty Low Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
     
-### Lacework Cloud Security Critical Severity Alert
+### Netskope Web Isolation On Suspicious Domain
   - 27/02/2026 - minor - Update rule type to integration
     
-### Varonis Data Security Intrusion Detection High Severity Alert
+### Tenable Identity Exposure / Alsid High Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
+  - 20/01/2025 - minor - Removing event fields to use the smart description
     
-### AWS GuardDuty Medium Severity Alert
+### Lacework Cloud Security Medium Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Lacework Cloud Security Low Severity Alert
+### Varonis Data Security Email Medium Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
     
-### Fastly Next-Gen WAF Audit Threat Alert
+### Darktrace Threat Visualizer Model Breach Suspicious Activity
   - 27/02/2026 - minor - Update rule type to integration
+  - 02/07/2025 - minor - Update similarity
+  - 12/11/2024 - minor - Update name, description, similarity and severity
     
-### Netskope Alerts Compliance
+### Varonis Data Security Intrusion Detection Low Severity Alert
   - 27/02/2026 - minor - Update rule type to integration
-  - 28/03/2024 - minor - Rule effort was updated to master
-  - 29/01/2024 - minor - Rework detection pattern to focus on compliance issues
     
-### Trend Micro Cloud One High Intrusion
-  - 25/02/2026 - minor - Update rule type to integration
+### Darktrace Threat Visualizer Model Breach Critical Activity
+  - 27/02/2026 - minor - Update rule type to integration
+  - 02/07/2025 - minor - Update similarity
+  - 12/11/2024 - minor - Update name, description, similarity and severity
     
 ### Trend Micro Apex One Data Loss Prevention Alert
   - 25/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### TEHTRIS EDR Alert
+### Trend Micro Vision One Workbench high Severity Alert
   - 25/02/2026 - minor - Update rule type to integration
     
 ### Trend Micro Vision One Workbench Low Severity Alert
   - 25/02/2026 - minor - Update rule type to integration
     
-### Trend Micro Vision One Workbench high Severity Alert
+### TEHTRIS EDR Alert
   - 25/02/2026 - minor - Update rule type to integration
     
-### Trend Micro Apex One Intrusion Detection Alert
+### Cybereason EDR Alert
   - 25/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Trend Micro Vision One Workbench Medium Severity Alert
-  - 25/02/2026 - minor - Update rule type to integration
-    
 ### Trend Micro Cloud One Low Intrusion
   - 25/02/2026 - minor - Update rule type to integration
     
-### Trend Micro Cloud One Medium Intrusion
+### Trend Micro Vision One Workbench Medium Severity Alert
   - 25/02/2026 - minor - Update rule type to integration
     
 ### Trend Micro Vision One Workbench Critical Severity Alert
   - 25/02/2026 - minor - Update rule type to integration
     
-### Cybereason EDR Alert
+### Trend Micro Cloud One Medium Intrusion
+  - 25/02/2026 - minor - Update rule type to integration
+    
+### Trend Micro Apex One Intrusion Detection Alert
   - 25/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
@@ -370,29 +367,30 @@ Changelog _last update on 2026-06-04_
   - 25/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
+### Trend Micro Cloud One High Intrusion
+  - 25/02/2026 - minor - Update rule type to integration
+    
 ### Antivirus Exploitation Framework Detection
   - 16/02/2026 - minor - Filtering out Event ID 1011 which caused false positives. The rule fired at the deletion of a quarantined file by Defender which was not the wanted behaviour.
     
-### CrowdStrike Falcon Intrusion Detection Medium Severity
+### CrowdStrike Falcon Intrusion Detection Critical Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Mobile Detection Critical Severity
-  - 10/02/2026 - minor - Update rule type to integration
-    
-### CrowdStrike Falcon Intrusion Detection EppDetection
+### CrowdStrike Falcon Intrusion Detection High Severity EppDetection
   - 10/02/2026 - minor - Update rule type to integration
+  - 02/10/2025 - minor - Alert severity updated to match Crowdstrike's values and sekoia rule CrowdStrike Falcon Intrusion Detection High Severity
   - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
     
-### CrowdStrike Falcon Intrusion Detection Critical Severity
+### CrowdStrike Falcon Intrusion Detection Low Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection
+### CrowdStrike Falcon Intrusion Detection Informational Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Informational Severity
+### CrowdStrike Falcon Identity Protection Detection Low Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
@@ -400,115 +398,117 @@ Changelog _last update on 2026-06-04_
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection High Severity EppDetection
+### CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection
   - 10/02/2026 - minor - Update rule type to integration
-  - 02/10/2025 - minor - Alert severity updated to match Crowdstrike's values and sekoia rule CrowdStrike Falcon Intrusion Detection High Severity
   - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
     
-### CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection
+### CrowdStrike Falcon Intrusion Detection Medium Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection High Severity
+### CrowdStrike Falcon Identity Protection Detection Medium Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Low Severity
+### CrowdStrike Falcon Intrusion Detection
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### CrowdStrike Falcon Mobile Detection High Severity
   - 10/02/2026 - minor - Update rule type to integration
     
-### CrowdStrike Falcon Mobile Detection Low Severity
+### CrowdStrike Falcon Intrusion Detection EppDetection
   - 10/02/2026 - minor - Update rule type to integration
+  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
     
-### CrowdStrike Falcon Intrusion Detection Low Severity EppDetection
+### CrowdStrike Falcon Intrusion Detection High Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Mobile Detection Medium Severity
+### CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection
   - 10/02/2026 - minor - Update rule type to integration
+  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
     
-### CrowdStrike Falcon Identity Protection Detection Medium Severity
+### CrowdStrike Falcon Mobile Detection Low Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection High Severity
+### CrowdStrike Falcon Identity Protection Detection High Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection Critical Severity
+### CrowdStrike Falcon Mobile Detection Informational Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection
   - 10/02/2026 - minor - Update rule type to integration
     
-### CrowdStrike Falcon Identity Protection Detection Low Severity
+### CrowdStrike Falcon Mobile Detection Medium Severity
   - 10/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection
+### CrowdStrike Falcon Mobile Detection Critical Severity
+  - 10/02/2026 - minor - Update rule type to integration
+    
+### CrowdStrike Falcon Identity Protection Detection Critical Severity
   - 10/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Mobile Detection Informational Severity
+### CrowdStrike Falcon Intrusion Detection Low Severity EppDetection
   - 10/02/2026 - minor - Update rule type to integration
+  - 05/08/2025 - minor - Alert severity updated to match Crowdstrike's values
     
-### SentinelOne EDR Threat Detected (Suspicious)
+### SentinelOne EDR Threat Mitigation Report Quarantine Success
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
+### SentinelOne EDR Threat Detected (Malicious)
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR SSO User Added
+### SentinelOne EDR User Logged In To The Management Console
   - 02/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+  - 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed.
     
 ### SentinelOne EDR Threat Mitigation Report Kill Success
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Malicious Threat Not Mitigated
+### SentinelOne EDR User Failed To Log In To The Management Console
   - 02/02/2026 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### SentinelOne EDR Threat Mitigation Report Remediate Success
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR User Failed To Log In To The Management Console
+### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
   - 02/02/2026 - minor - Update rule type to integration
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Custom Rule Alert
+### SentinelOne EDR Threat Detected (Suspicious)
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Quarantine Success
+### SentinelOne EDR Custom Rule Alert
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Agent Disabled
+### SentinelOne EDR SSO User Added
   - 02/02/2026 - minor - Update rule type to integration
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Quarantine Failed
+### SentinelOne EDR Malicious Threat Not Mitigated
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Detected (Malicious)
+### SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
+### SentinelOne EDR Threat Mitigation Report Quarantine Failed
   - 02/02/2026 - minor - Update rule type to integration
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR User Logged In To The Management Console
+### SentinelOne EDR Agent Disabled
   - 02/02/2026 - minor - Update rule type to integration
-  - 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed.
     
 ### Download Files From Non-Legitimate TLDs
   - 02/02/2026 - minor - Improved selection to avoid false positives by forcing the destination.ip field.
@@ -529,13 +529,13 @@ Changelog _last update on 2026-06-04_
   - 15/10/2024 - minor - Adding filter to reduce false positives.
   - 13/06/2024 - minor - Adding similarity strategy and changing effort level.
     
-### Microsoft 365 Email Forwarding To Privacy Email Address
-  - 31/12/2025 - minor - Add a domain name to the pattern
-    
 ### Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)
   - 31/12/2025 - major - Change the similarity strategy to user.id instead of user.email.
   - 01/10/2024 - major - Update the pattern following changes in the phishing kit.
     
+### Microsoft 365 Email Forwarding To Privacy Email Address
+  - 31/12/2025 - minor - Add a domain name to the pattern
+    
 ### Csrss Child Found
   - 23/12/2025 - minor - Rule was moved to advanced effort level considering the number of alerts and addtional filters were added.
   - 16/12/2024 - minor - Improve pattern mandatory fields and add filter to reduce false positives
@@ -551,11 +551,11 @@ Changelog _last update on 2026-06-04_
   - 03/12/2025 - major - Change rule effort level according to sigthings
   - 24/04/2025 - minor - Adding similarity strategy.
     
-### AWS GuardDuty High Severity Alert
+### Vectra General Threat Detection
   - 12/11/2025 - minor - Update rule type to integration
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+  - 06/10/2025 - minor - Update sources link
     
-### Advanced Threat Detected By Hornetsecurity 365 Total Protection
+### Threat Detected By Hornetsecurity 365 Total Protection
   - 12/11/2025 - minor - Update rule type to integration
     
 ### Varonis Data Security Network Medium Severity Alert
@@ -566,20 +566,20 @@ Changelog _last update on 2026-06-04_
   - 12/11/2025 - minor - Update rule type to integration
   - 06/10/2025 - minor - Update similarity strategy for more granularity
     
-### Spam Detected By Hornetsecurity 365 Total Protection
+### Advanced Threat Detected By Hornetsecurity 365 Total Protection
   - 12/11/2025 - minor - Update rule type to integration
     
+### AWS GuardDuty High Severity Alert
+  - 12/11/2025 - minor - Update rule type to integration
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+    
 ### Varonis Data Security Network Low Severity Alert
   - 12/11/2025 - minor - Update rule type to integration
   - 06/10/2025 - minor - Update similarity strategy for more granularity
   - 14/05/2025 - major - Fix pattern where severity level was missing
     
-### Threat Detected By Hornetsecurity 365 Total Protection
-  - 12/11/2025 - minor - Update rule type to integration
-    
-### Vectra General Threat Detection
+### Spam Detected By Hornetsecurity 365 Total Protection
   - 12/11/2025 - minor - Update rule type to integration
-  - 06/10/2025 - minor - Update sources link
     
 ### Windows Suspicious Service Creation
   - 28/10/2025 - minor - improve detection by adding pattern
@@ -588,14 +588,14 @@ Changelog _last update on 2026-06-04_
   - 20/10/2025 - minor - Adding COM registering detection pattern and filtering some DLL to avoid false positives.
   - 21/09/2023 - minor - Extend to some usage without dll filename
     
-### Fortigate Firewall Login In Failure
-  - 15/10/2025 - minor - Update pattern to match intake format change
-  - 20/01/2025 - minor - Update pattern to ECS field only
-    
 ### Login Brute-Force On Fortinet Firewall From Internet
   - 15/10/2025 - minor - Update pattern to match intake format change
   - 03/02/2025 - minor - Update pattern to ECS field only and intake format
     
+### Fortigate Firewall Login In Failure
+  - 15/10/2025 - minor - Update pattern to match intake format change
+  - 20/01/2025 - minor - Update pattern to ECS field only
+    
 ### Brute-Force On Fortinet Firewall Login
   - 15/10/2025 - minor - Update pattern to match intake format change
   - 20/01/2025 - minor - Update pattern to ECS field and add intake field format
@@ -662,39 +662,39 @@ Changelog _last update on 2026-06-04_
 ### WMI Fingerprint Commands
   - 19/08/2025 - major - Changing effort level.
     
+### Correlation PowerShell Suspicious DLL Loading
+  - 18/08/2025 - minor - Add filter to reduce false positives
+    
 ### Windows Registry Persistence COM Search Order Hijacking
   - 18/08/2025 - major - Effort level moved to master. Pattern changed to enhance the detection scope. Filters were added to reduce false positives.
   - 11/01/2024 - minor - Adding filtering for some FPs
     
-### Correlation PowerShell Suspicious DLL Loading
-  - 18/08/2025 - minor - Add filter to reduce false positives
-    
-### AWS CloudTrail EC2 Instance Connect SendSSHPublicKey
+### AWS CloudTrail EC2 DeleteKeyPair
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 VM Export Failure
-  - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
+### AWS CloudTrail EC2 CreateKeyPair
+  - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID.
     
-### AWS CloudTrail EC2 CreateVPC
+### AWS CloudTrail EC2 Security Group Modified
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 DeleteKeyPair
+### AWS CloudTrail EC2 CreateVPC
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
 ### AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 Enable Serial Console Access
+### AWS CloudTrail EC2 Instance Connect SendSSHPublicKey
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 Startup Script Changed
+### AWS CloudTrail EC2 VM Export Failure
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 Security Group Modified
+### AWS CloudTrail EC2 Enable Serial Console Access
   - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
-### AWS CloudTrail EC2 CreateKeyPair
-  - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID.
+### AWS CloudTrail EC2 Startup Script Changed
+  - 14/08/2025 - minor - Similarity strategy modified to group alerts by user ID and instance ID
     
 ### Suspicious PowerShell Invocations - Generic
   - 14/08/2025 - minor - Excluded new paths to reduce false positives.
@@ -763,15 +763,15 @@ Changelog _last update on 2026-06-04_
 ### Capture a network trace with netsh.exe
   - 24/04/2025 - minor - Adding similarity strategy and filters to reduce false positives and changing effort level.
     
-### Usage Of Procdump With Common Arguments
-  - 22/04/2025 - minor - Added filter to reduce false positives and change effort level.
-  - 15/01/2024 - minor - Added filter to reduce false positives.
-    
 ### Antivirus Relevant File Paths Alerts
   - 22/04/2025 - major - Change effort level and similarity strategy
   - 26/03/2024 - major - Rule's pattern field changed
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
+### Usage Of Procdump With Common Arguments
+  - 22/04/2025 - minor - Added filter to reduce false positives and change effort level.
+  - 15/01/2024 - minor - Added filter to reduce false positives.
+    
 ### Commonly Used Commands To Stop Services And Remove Backups
   - 14/04/2025 - major - Reviewing pattern and condition to reduce false positives, adding similarity strategy and changing effort level.
     
@@ -804,20 +804,20 @@ Changelog _last update on 2026-06-04_
   - 14/11/2024 - major - Adding new file extension and new condition to make the rule broader as it can now match on more intakes.
   - 15/04/2024 - minor - Update email from field to latest parser format
     
-### HackTools Suspicious Names
-  - 26/03/2025 - major - Change effort level and added filters.
-  - 11/12/2024 - minor - Added a default similarity based on host name and user name to avoid too many alerts.
-    
 ### MMC Spawning Windows Shell
   - 26/03/2025 - minor - Adding similarity and changing effort level.
     
-### Suspicious Windows Installer Execution
-  - 25/03/2025 - major - Adding many filters and a similarity strategy. Effort was also updated to master.
+### HackTools Suspicious Names
+  - 26/03/2025 - major - Change effort level and added filters.
+  - 11/12/2024 - minor - Added a default similarity based on host name and user name to avoid too many alerts.
     
 ### Successful Overpass The Hash Attempt
   - 25/03/2025 - minor - Changing pattern, adding similarity and changing effort level.
   - 26/03/2024 - major - Rule's pattern field changed
     
+### Suspicious Windows Installer Execution
+  - 25/03/2025 - major - Adding many filters and a similarity strategy. Effort was also updated to master.
+    
 ### Discord Suspicious Download
   - 25/03/2025 - major - Change the rule effort and similarity strategy.
   - 05/08/2023 - minor - Added filters for commonly observed files extensions.
@@ -837,13 +837,15 @@ Changelog _last update on 2026-06-04_
 ### Microsoft Entra ID (Azure AD) Unfamiliar Features
   - 20/03/2025 - major - Change effort level
     
+### NetSh Used To Disable Windows Firewall
+  - 20/03/2025 - minor - Adding similarity and change effort level.
+    
+### Pandemic Windows Implant
+  - 20/03/2025 - major - Rule's effort level has been changed to master, similarity and filter added.
+    
 ### Powershell UploadString Function
   - 20/03/2025 - major - Change effort level and add filter to reduce false positives
     
-### Grabbing Sensitive Hives Via Reg Utility
-  - 20/03/2025 - major - Effort level changed, similarity strategy added, and filters improved to reduce false positives.
-  - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.
-    
 ### ISO LNK Infection Chain
   - 20/03/2025 - major - Change effort level
   - 18/03/2025 - minor - File path exclusion added to filter some false positives.
@@ -856,11 +858,9 @@ Changelog _last update on 2026-06-04_
   - 18/09/2023 - minor - File paths added to filter some false positives.
   - 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe
     
-### NetSh Used To Disable Windows Firewall
-  - 20/03/2025 - minor - Adding similarity and change effort level.
-    
-### Pandemic Windows Implant
-  - 20/03/2025 - major - Rule's effort level has been changed to master, similarity and filter added.
+### Grabbing Sensitive Hives Via Reg Utility
+  - 20/03/2025 - major - Effort level changed, similarity strategy added, and filters improved to reduce false positives.
+  - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.
     
 ### Searchprotocolhost Child Found
   - 17/03/2025 - major - Rule changed to effort master, and filter added to reduce false positives.
@@ -871,10 +871,6 @@ Changelog _last update on 2026-06-04_
 ### Address Space Layout Randomization (ASLR) Alteration
   - 14/03/2025 - minor - Excluded some commonly observed false positives.
     
-### Powershell Winlogon Helper DLL
-  - 13/03/2025 - major - Adding new filter and similarity strategy to reduce false positives. Changing effort level.
-  - 04/04/2024 - major - Rule's pattern field changed
-    
 ### CMSTP UAC Bypass via COM Object Access
   - 13/03/2025 - minor - Adding filters to reduce false positives and adding similarity.
   - 28/05/2024 - minor - Add pattern to selection to improve coverage
@@ -883,6 +879,10 @@ Changelog _last update on 2026-06-04_
   - 13/03/2025 - major - Adding filters to reduce false positives and adding similarity.
   - 05/08/2023 - major - Filters were added to reduce false positives and effort level was modified.
     
+### Powershell Winlogon Helper DLL
+  - 13/03/2025 - major - Adding new filter and similarity strategy to reduce false positives. Changing effort level.
+  - 04/04/2024 - major - Rule's pattern field changed
+    
 ### Okta Suspicious Use of a Session Cookie
   - 03/03/2025 - minor - Improve detection pattern group-by, value field and timespan, update rule name
     
@@ -896,10 +896,10 @@ Changelog _last update on 2026-06-04_
 ### Login Brute-Force Successful On Jumpcloud Workstation
   - 03/02/2025 - minor - Update pattern to ECS field only
     
-### Correlation Jumpcloud User Logged In From Multiple Countries
+### Login Brute-Force Successful On Jumpcloud Portal
   - 03/02/2025 - minor - Update pattern to ECS field only
     
-### Login Brute-Force Successful On Jumpcloud Portal
+### Correlation Jumpcloud User Logged In From Multiple Countries
   - 03/02/2025 - minor - Update pattern to ECS field only
     
 ### Login Brute-Force Successful Linux
@@ -921,9 +921,6 @@ Changelog _last update on 2026-06-04_
 ### Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure
   - 20/01/2025 - minor - Update pattern to ECS field and specific intake field
     
-### Write To File In Sudoers.d Folder
-  - 20/01/2025 - minor - Update pattern to ECS field only
-    
 ### Python Offensive Tools and Packages
   - 20/01/2025 - major - Rule's pattern changed to reduce false positives.
   - 02/10/2024 - major - Rule's pattern changed
@@ -931,6 +928,9 @@ Changelog _last update on 2026-06-04_
 ### Setuid Or Setgid Usage
   - 20/01/2025 - minor - Update pattern to ECS field only
     
+### Write To File In Sudoers.d Folder
+  - 20/01/2025 - minor - Update pattern to ECS field only
+    
 ### Potential DNS Tunnel
   - 20/01/2025 - major - Update regex pattern to improve detection, and add more filters to avoid false positives
   - 19/07/2023 - major - New regex pattern and new filters.
@@ -943,14 +943,14 @@ Changelog _last update on 2026-06-04_
   - 20/01/2025 - major - Update regex pattern to improve detection, decrease count number, and add more filters to avoid false positives
   - 19/07/2023 - major - New regex pattern and new filters.
     
-### Socat Relaying Socket
-  - 17/01/2025 - major - Significant rewrite of the rule to reduce false positives.
-  - 14/06/2023 - minor - Added filter to the rule to reduce false positives.
-    
 ### Socat Reverse Shell Detection
   - 17/01/2025 - major - Complete rewrite of the rule to reduce false positives.
   - 14/06/2023 - minor - Added filter to the rule to reduce false positives.
     
+### Socat Relaying Socket
+  - 17/01/2025 - major - Significant rewrite of the rule to reduce false positives.
+  - 14/06/2023 - minor - Added filter to the rule to reduce false positives.
+    
 ### Rare Logonui Child Found
   - 17/01/2025 - minor - Adding filter to reduce false positives.
     
@@ -1005,69 +1005,59 @@ Changelog _last update on 2026-06-04_
 ### CVE-2019-0604 SharePoint
   - 04/11/2024 - minor - Added filter to reduce false positives
     
-### Winrshost Wrong Parent
+### Taskhostw Wrong Parent
   - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Filters were also added to reduce false positives.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Wsmprovhost Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
-  - 19/03/2024 - major - Added filter to reduce false positives
-  - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
-  - 25/10/2023 - minor - Adding filter to reduce false positives.
-  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
-  - 04/07/2023 - major - Added filter to reduce false positives
-    
-### Smss Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
-  - 05/04/2024 - major - Added filter to reduce false positives
+### Wininit Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. A filter was also added to reduce false positives.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Taskhostw Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Filters were also added to reduce false positives.
+### Spoolsv Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Added some new filters as well to reduce false positives.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Dllhost Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Some filters on parent process names were also added to reduce false positives.
-  - 19/03/2024 - major - Added filter to reduce false positives
+### Searchprotocolhost Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
+  - 12/03/2024 - minor - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Logonui Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
-  - 07/06/2024 - major - Added filter to reduce false positives
+### Lsass Wrong Parent
+  - 17/10/2024 - major - The rule has been reworked for a specific intake to allow our customers to activate the rule for this intake which was not the case before.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Taskhost Wrong Parent
+### Wsmprovhost Wrong Parent
   - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
+  - 25/10/2023 - minor - Adding filter to reduce false positives.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Lsass Wrong Parent
-  - 17/10/2024 - major - The rule has been reworked for a specific intake to allow our customers to activate the rule for this intake which was not the case before.
+### Winrshost Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Filters were also added to reduce false positives.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Searchprotocolhost Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
-  - 12/03/2024 - minor - Added filter to reduce false positives
-  - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
+### Csrss Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
+  - 19/03/2024 - major - Added filter to reduce false positives
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
@@ -1078,8 +1068,8 @@ Changelog _last update on 2026-06-04_
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - minor - Added filter to reduce false positives
     
-### Searchindexer Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
+### Dllhost Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Some filters on parent process names were also added to reduce false positives.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
@@ -1091,27 +1081,37 @@ Changelog _last update on 2026-06-04_
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Mshta Suspicious Child Process
-  - 17/10/2024 - minor - Adding similarity_strategy and enforce selection
+### Searchindexer Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
+  - 19/03/2024 - major - Added filter to reduce false positives
+  - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
+  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
+  - 04/07/2023 - major - Added filter to reduce false positives
     
-### Wininit Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. A filter was also added to reduce false positives.
+### Suspicious Mshta Execution
+  - 17/10/2024 - minor - Adding similarity_strategy
+    
+### Logonui Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
+  - 07/06/2024 - major - Added filter to reduce false positives
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Csrss Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
+### Smss Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake
+  - 05/04/2024 - major - Added filter to reduce false positives
   - 19/03/2024 - major - Added filter to reduce false positives
+  - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
   - 04/07/2023 - major - Added filter to reduce false positives
     
-### Suspicious Mshta Execution
-  - 17/10/2024 - minor - Adding similarity_strategy
+### Mshta Suspicious Child Process
+  - 17/10/2024 - minor - Adding similarity_strategy and enforce selection
     
-### Spoolsv Wrong Parent
-  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake. Added some new filters as well to reduce false positives.
+### Taskhost Wrong Parent
+  - 17/10/2024 - major - Removed a filter on a specific intake, the rule now works fine for every intake.
   - 19/03/2024 - major - Added filter to reduce false positives
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
@@ -1125,6 +1125,9 @@ Changelog _last update on 2026-06-04_
   - 14/10/2024 - minor - Added filter to the rule to reduce false positives.
   - 19/06/2023 - minor - Added filter to the rule to reduce false positives.
     
+### Web Application Launching Shell
+  - 10/10/2024 - major - Adding new elements and filters to increase detection and reduce false positives.
+    
 ### NlTest Usage
   - 10/10/2024 - minor - Adding new elements and filters to increase detection and reduce false positives.
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
@@ -1132,9 +1135,6 @@ Changelog _last update on 2026-06-04_
 ### Microsoft IIS Module Installation
   - 10/10/2024 - major - Adding new commands with powershell and changing effort level.
     
-### Web Application Launching Shell
-  - 10/10/2024 - major - Adding new elements and filters to increase detection and reduce false positives.
-    
 ### Opening Of a Password File
   - 07/10/2024 - minor - Modified similarity strategy.
   - 21/03/2024 - minor - Adding similarity strategy to reduce alerts creation.
@@ -1168,13 +1168,13 @@ Changelog _last update on 2026-06-04_
 ### Credential Dump Tools Related Files
   - 07/08/2024 - major - Effort level was changed. Rule pattern initial field was changed to be ECS compliant and match on more intakes. A process was excluded and a filter was added, both to avoid generating too much false positives.
     
-### Impacket Addcomputer
-  - 05/08/2024 - major - improve selection to extend detection
-    
 ### Suspicious Outbound Kerberos Connection
   - 05/08/2024 - major - Rule reworked to match more intakes and have less false positives (filters were added).
   - 04/04/2024 - major - Rule's pattern field changed
     
+### Impacket Addcomputer
+  - 05/08/2024 - major - improve selection to extend detection
+    
 ### Rclone Process
   - 05/08/2024 - major - Edited pattern of the rule to reduce false positives.
   - 28/06/2023 - minor - Added filter to the rule to reduce false positives.
@@ -1196,6 +1196,11 @@ Changelog _last update on 2026-06-04_
   - 12/07/2024 - minor - Add similarity strategy
   - 26/03/2024 - major - Rule's pattern field changed
     
+### Anomaly Bruteforce - User Enumeration
+  - 12/07/2024 - major - improce coverage, enforce filter and change effort
+  - 13/06/2024 - minor - Adding fields to be displayed in alerts.
+  - 09/04/2024 - major - change field on aggregation
+    
 ### Account Added To A Security Enabled Group
   - 12/07/2024 - minor - add similarity strategy
   - 26/03/2024 - major - Rule's pattern field changed
@@ -1205,11 +1210,6 @@ Changelog _last update on 2026-06-04_
   - 10/07/2024 - minor - Adding filter and new elements to reduce false positives.
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Anomaly Bruteforce - User Enumeration
-  - 12/07/2024 - major - improce coverage, enforce filter and change effort
-  - 13/06/2024 - minor - Adding fields to be displayed in alerts.
-  - 09/04/2024 - major - change field on aggregation
-    
 ### Dynamic Linker Hijacking From Environment Variable
   - 11/07/2024 - minor - Added filter to reduce false positvives
     
@@ -1229,25 +1229,22 @@ Changelog _last update on 2026-06-04_
 ### Suspicious Kerberos Ticket
   - 03/07/2024 - major - Add filter to cover a second case to improve rule coverage
     
-### Disable Task Manager Through Registry Key
-  - 25/06/2024 - major - Fix pattern selection
-  - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-    
 ### Suspicious Driver Loaded
   - 25/06/2024 - minor - fix pattern following ECS parsing update
   - 21/05/2024 - major - editing pattern to avoid FP
   - 02/01/2024 - minor - improve selection to avoid FP
     
-### Leviathan Registry Key Activity
+### Disable Task Manager Through Registry Key
+  - 25/06/2024 - major - Fix pattern selection
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
-### Usage Of Sysinternals Tools
+### Sticky Key Like Backdoor Usage
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
-### OceanLotus Registry Activity
+### Usage Of Sysinternals Tools
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
-### Sticky Key Like Backdoor Usage
+### Leviathan Registry Key Activity
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
 ### UAC Bypass Using Fodhelper
@@ -1256,6 +1253,9 @@ Changelog _last update on 2026-06-04_
 ### Disable Workstation Lock
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
+### OceanLotus Registry Activity
+  - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
+    
 ### Security Support Provider (SSP) Added to LSA Configuration
   - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
     
@@ -1280,15 +1280,15 @@ Changelog _last update on 2026-06-04_
 ### Google Workspace Anomaly File Downloads
   - 12/06/2024 - minor - Changing effort level and adding field to alert.
     
-### Anomaly Secret Store Access
-  - 12/06/2024 - minor - Adding new fields to be displayed in alerts.
-  - 08/04/2024 - minor - change field name on query
-    
 ### Lateral Movement Remote Named Pipe
   - 12/06/2024 - minor - Fix filter selection
   - 03/04/2024 - major - Rule's pattern field changed
   - 26/03/2024 - minor - Filter was improved to reduce false positives
     
+### Anomaly Secret Store Access
+  - 12/06/2024 - minor - Adding new fields to be displayed in alerts.
+  - 08/04/2024 - minor - change field name on query
+    
 ### Anomaly New PowerShell Remote Session
   - 11/06/2024 - minor - Adding fields to be displayed in the alert.
     
@@ -1309,10 +1309,10 @@ Changelog _last update on 2026-06-04_
 ### Suspicious PowerShell Keywords
   - 23/05/2024 - minor - Added filter to reduce false positives and new suspicious keywords.
     
-### Password Reset Error Brute-Force On AzureAD
+### Login Brute-Force On Sekoia.io
   - 22/05/2024 - minor - Switch the group-by clause to a sekoiaio uuid field.
     
-### Login Brute-Force On Sekoia.io
+### Password Reset Error Brute-Force On AzureAD
   - 22/05/2024 - minor - Switch the group-by clause to a sekoiaio uuid field.
     
 ### Google Workspace Admin Creation
@@ -1327,44 +1327,54 @@ Changelog _last update on 2026-06-04_
 ### OneNote Suspicious Children Process
   - 15/04/2024 - minor - Changing effort level and adding new filters to reduce false positives.
     
-### DPAPI Domain Backup Key Extraction
+### Suspicious Access To Sensitive File Extensions
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Successful Brute Force Login From Internet
+### Remote Registry Management Using Reg Utility
   - 04/04/2024 - major - Rule's pattern field changed
     
-### DNS Server Error Failed Loading The ServerLevelPluginDLL
+### Secure Deletion With SDelete
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Suspicious Windows ANONYMOUS LOGON Local Account Created
+### SysKey Registry Keys Access
   - 04/04/2024 - major - Rule's pattern field changed
     
-### DHCP Server Error Failed Loading the CallOut DLL
+### User Account Deleted
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Microsoft Malware Protection Engine Crash
+### Remote Privileged Group Enumeration
+  - 04/04/2024 - major - Rule's pattern field changed
+  - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives.
+    
+### User Couldn't Call A Privileged Service LsaRegisterLogonProcess
+  - 04/04/2024 - major - Rule's pattern field changed
+    
+### SCM Database Handle Failure
+  - 04/04/2024 - major - Rule's pattern field changed
+    
+### DHCP Server Loaded the CallOut DLL
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### SAM Registry Hive Handle Request
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Suspicious SAM Dump
+### Account Tampering - Suspicious Failed Logon Reasons
   - 04/04/2024 - major - Rule's pattern field changed
+  - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field.
     
-### User Couldn't Call A Privileged Service LsaRegisterLogonProcess
+### Suspicious Windows ANONYMOUS LOGON Local Account Created
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### Credential Dumping By LaZagne
   - 04/04/2024 - major - Rule's pattern field changed
     
-### RDP Login From Localhost
+### Suspicious SAM Dump
   - 04/04/2024 - major - Rule's pattern field changed
-  - 24/11/2023 - minor - Effort level changed to advanced.
     
-### DHCP Server Loaded the CallOut DLL
+### Suspect Svchost Memory Access
   - 04/04/2024 - major - Rule's pattern field changed
     
-### TUN/TAP Driver Installation
+### Suspicious Hostname
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### Remote Service Activity Via SVCCTL Named Pipe
@@ -1374,202 +1384,192 @@ Changelog _last update on 2026-06-04_
 ### Suspicious LDAP-Attributes Used
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Webshell Creation
+### Microsoft Malware Protection Engine Crash
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### External Disk Drive Or USB Storage Device
   - 04/04/2024 - major - Rule's pattern field changed
     
-### User Account Deleted
+### Webshell Creation
   - 04/04/2024 - major - Rule's pattern field changed
     
-### SCM Database Handle Failure
+### DPAPI Domain Backup Key Extraction
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### WMI Event Subscription
   - 04/04/2024 - major - Rule's pattern field changed
     
-### CVE-2019-0708 Scan
-  - 04/04/2024 - major - Rule's pattern field changed
-    
-### Secure Deletion With SDelete
+### RDP Login From Localhost
   - 04/04/2024 - major - Rule's pattern field changed
+  - 24/11/2023 - minor - Effort level changed to advanced.
     
-### Account Tampering - Suspicious Failed Logon Reasons
+### TUN/TAP Driver Installation
   - 04/04/2024 - major - Rule's pattern field changed
-  - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field.
     
-### MSBuild Abuse
+### Successful Brute Force Login From Internet
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Suspicious Hostname
+### DNS Server Error Failed Loading The ServerLevelPluginDLL
   - 04/04/2024 - major - Rule's pattern field changed
     
-### SysKey Registry Keys Access
+### MSBuild Abuse
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Suspect Svchost Memory Access
+### DHCP Server Error Failed Loading the CallOut DLL
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Remote Registry Management Using Reg Utility
+### CVE-2019-0708 Scan
   - 04/04/2024 - major - Rule's pattern field changed
     
 ### Suspicious PsExec Execution
   - 04/04/2024 - major - Rule's pattern field changed
     
-### Remote Privileged Group Enumeration
-  - 04/04/2024 - major - Rule's pattern field changed
-  - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives.
-    
-### Suspicious Access To Sensitive File Extensions
-  - 04/04/2024 - major - Rule's pattern field changed
-    
 ### Outlook Registry Access
   - 02/04/2024 - major - Updating the pattern and adding filter selection
   - 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule
     
-### Cloudflare WAF Correlation Alerts
-  - 28/03/2024 - minor - Rule effort was updated to master
-    
 ### WAF Correlation Block actions
   - 28/03/2024 - minor - Rule effort was updated to master
     
 ### WAF Correlation Block Multiple Destinations
   - 28/03/2024 - minor - Rule effort was updated to master
     
-### Admin User RDP Remote Logon
+### Cloudflare WAF Correlation Alerts
+  - 28/03/2024 - minor - Rule effort was updated to master
+    
+### Domain Trust Created Or Removed
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Computer Account Deleted
+### Dynwrapx Module Loading
   - 26/03/2024 - major - Rule's pattern field changed
     
-### AD User Enumeration
+### Python Opening Ports
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Active Directory Delegate To KRBTGT Service
+### Process Hollowing Detection
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Malware Outbreak
+### Active Directory Database Dump Via Ntdsutil
+  - 26/03/2024 - major - Rule's pattern field changed
+    
+### Password Dumper Activity On LSASS
   - 26/03/2024 - major - Rule's pattern field changed
     
 ### Admin Share Access
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Password Change On Directory Service Restore Mode (DSRM) Account
+### PsExec Process
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Possible Replay Attack
+### Potential RDP Connection To Non-Domain Host
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Detection of default Mimikatz banner
+### Backup Catalog Deleted
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Active Directory Replication from Non Machine Account
+### Microsoft Defender Antivirus Tampering Detected
   - 26/03/2024 - major - Rule's pattern field changed
+  - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed.
     
-### LSASS Memory Dump
+### NetNTLM Downgrade Attack
   - 26/03/2024 - major - Rule's pattern field changed
-  - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger.
     
-### LSASS Access From Non System Account
+### Eventlog Cleared
   - 26/03/2024 - major - Rule's pattern field changed
     
-### PsExec Process
+### Active Directory Replication from Non Machine Account
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Chafer (APT 39) Activity
+### Cobalt Strike Default Service Creation Usage
   - 26/03/2024 - major - Rule's pattern field changed
     
 ### Active Directory User Backdoors
   - 26/03/2024 - major - Rule's pattern field changed
   - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule.
     
-### Python Opening Ports
+### Malware Outbreak
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Password Dumper Activity On LSASS
+### AD Privileged Users Or Groups Reconnaissance
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Microsoft Defender Antivirus Tampering Detected
+### Chafer (APT 39) Activity
   - 26/03/2024 - major - Rule's pattern field changed
-  - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed.
     
-### AD Privileged Users Or Groups Reconnaissance
+### Microsoft Defender Antivirus Threat Detected
   - 26/03/2024 - major - Rule's pattern field changed
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Domain Trust Created Or Removed
+### DC Shadow via Service Principal Name (SPN) creation
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Eventlog Cleared
+### Privileged AD Builtin Group Modified
   - 26/03/2024 - major - Rule's pattern field changed
+  - 10/07/2023 - minor - Added AD groups and change to effort master.
     
-### Process Herpaderping
+### StoneDrill Service Install
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Potential RDP Connection To Non-Domain Host
+### Admin User RDP Remote Logon
   - 26/03/2024 - major - Rule's pattern field changed
     
-### DC Shadow via Service Principal Name (SPN) creation
+### LSASS Access From Non System Account
   - 26/03/2024 - major - Rule's pattern field changed
     
-### NetNTLM Downgrade Attack
+### Smbexec.py Service Installation
   - 26/03/2024 - major - Rule's pattern field changed
     
-### StoneDrill Service Install
+### LSASS Memory Dump
   - 26/03/2024 - major - Rule's pattern field changed
+  - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger.
     
-### Process Hollowing Detection
+### Microsoft Defender Antivirus History Deleted
   - 26/03/2024 - major - Rule's pattern field changed
     
 ### Putty Sessions Listing
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Active Directory Database Dump Via Ntdsutil
-  - 26/03/2024 - major - Rule's pattern field changed
-    
-### Microsoft Defender Antivirus Threat Detected
+### Denied Access To Remote Desktop
   - 26/03/2024 - major - Rule's pattern field changed
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+  - 19/10/2023 - minor - Minor change in selection to reduce false positives.
     
-### Smbexec.py Service Installation
+### Impacket Secretsdump.py Tool
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Dynwrapx Module Loading
+### AD User Enumeration
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Cobalt Strike Default Service Creation Usage
+### Creation or Modification of a GPO Scheduled Task
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Backup Catalog Deleted
+### Active Directory Delegate To KRBTGT Service
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Denied Access To Remote Desktop
+### Detection of default Mimikatz banner
   - 26/03/2024 - major - Rule's pattern field changed
-  - 19/10/2023 - minor - Minor change in selection to reduce false positives.
     
-### Impacket Secretsdump.py Tool
+### Password Change On Directory Service Restore Mode (DSRM) Account
   - 26/03/2024 - major - Rule's pattern field changed
     
 ### CVE-2017-11882 Microsoft Office Equation Editor Vulnerability
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Possible RottenPotato Attack
+### Malicious Service Installations
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Creation or Modification of a GPO Scheduled Task
+### Possible Replay Attack
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Malicious Service Installations
+### Computer Account Deleted
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Privileged AD Builtin Group Modified
+### Possible RottenPotato Attack
   - 26/03/2024 - major - Rule's pattern field changed
-  - 10/07/2023 - minor - Added AD groups and change to effort master.
     
 ### APT29 Fake Google Update Service Install
   - 26/03/2024 - major - Rule's pattern field changed
     
-### Microsoft Defender Antivirus History Deleted
+### Process Herpaderping
   - 26/03/2024 - major - Rule's pattern field changed
     
 ### Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address
@@ -1603,40 +1603,43 @@ Changelog _last update on 2026-06-04_
 ### Non-Legitimate Executable Using AcceptEula Parameter
   - 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
+### Sekoia.io EICAR Detection
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 High Severity AIR Alert
+### Okta Phishing Detection with FastPass Origin Check
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Okta Phishing Detection with FastPass Origin Check
+### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Sekoia.io EICAR Detection
+### AWS CloudTrail GuardDuty Detector Deleted
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+  - 08/11/2023 - minor - Added filter to reduce false positives
     
 ### AWS CloudTrail GuardDuty Detector Suspended
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
+### Okta MFA Disabled
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+    
+### Microsoft Defender for Office 365 High Severity AIR Alert
+  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+    
 ### Microsoft Defender for Office 365 Medium Severity AIR Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Okta MFA Disabled
+### Login Brute-Force Successful On SentinelOne EDR Management Console
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### AWS CloudTrail GuardDuty Detector Deleted
+### Login Failed Brute-Force On SentinelOne EDR Management Console
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-  - 08/11/2023 - minor - Added filter to reduce false positives
     
 ### WithSecure Elements Critical Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Netsh Port Forwarding
-  - 15/02/2024 - minor - Added filter to reduce false positives
-    
 ### Microsoft Defender Antivirus Disabled Base64 Encoded
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
@@ -1644,13 +1647,10 @@ Changelog _last update on 2026-06-04_
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
   - 10/08/2023 - minor - Rule modified and filter added to reduce false positives.
     
-### CVE-2021-21985 VMware vCenter
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-    
-### Login Brute-Force Successful On SentinelOne EDR Management Console
-  - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+### Netsh Port Forwarding
+  - 15/02/2024 - minor - Added filter to reduce false positives
     
-### Login Failed Brute-Force On SentinelOne EDR Management Console
+### CVE-2021-21985 VMware vCenter
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### WMIC Uninstall Product
@@ -1694,13 +1694,13 @@ Changelog _last update on 2026-06-04_
 ### AD Object WriteDAC Access
   - 21/11/2023 - minor - Rule's effort level has been changed to advanced as legitimate administrator actions can trigger the rule.
     
-### Suspicious Double Extension
-  - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
-    
 ### UAC Bypass via Event Viewer
   - 21/11/2023 - minor - Improve filter to reduce false positives and clarified the rule pattern.
   - 21/09/2023 - minor - Improve filter to reduce false positives
     
+### Suspicious Double Extension
+  - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
+    
 ### PowerShell Credential Prompt
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
     
@@ -1753,10 +1753,10 @@ Changelog _last update on 2026-06-04_
 ### Suspicious PowerShell Invocations - Specific
   - 26/05/2023 - minor - Added a filter to the rule as some false positives were observed.
     
-### Internet Scanner Target
+### Internet Scanner
   - 28/04/2023 - minor - Support for standard ECS FW fields
     
-### Internet Scanner
+### Internet Scanner Target
   - 28/04/2023 - minor - Support for standard ECS FW fields
     
 ### Audio Capture via PowerShell
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 77ebad197d..2ae15b272b 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **1067 built-in detection rules** ([_last update on 2026-06-04_](rules_changelog.md)).
+Rules catalog includes **1067 built-in detection rules** ([_last update on 2026-06-11_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
diff --git a/_shared_content/operations_center/detection/generated/rules_index.json b/_shared_content/operations_center/detection/generated/rules_index.json
index f06ff52139..3a3849f114 100644
--- a/_shared_content/operations_center/detection/generated/rules_index.json
+++ b/_shared_content/operations_center/detection/generated/rules_index.json
@@ -1 +1 @@
-[{"uuid": "9ea55509-05c5-4af8-9a63-5385a0bfb1db", "name": "Okta MFA Bypass Attempt", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A bypass of MFA may have been attempted.", "attack": ["credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Okta"]}, {"uuid": "e500e9c8-5ebb-4a27-9e03-aaa17d41850e", "name": "Google Cloud Audit Logs Account Suspended", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify a user account suspended for a suspicious activity", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "37122f02-7521-4633-95ab-3dbd05fbffc9", "name": "AWS CloudTrail EC2 Instance Connect SendSSHPublicKey", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is pushing an SSH Public Key to an EC2 instance. Then he can establish a connection to the console using SSH.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "ffa18f6e-b7ea-46c3-807d-ccc2b94867cc", "name": "Google Workspace Admin Deletion", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is deleted or when his role is unassigned.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "86baf707-115c-4b61-8f57-726a67020108", "name": "Zscaler ZIA Malicious Threat Outbreak", "effort": "master", "data_sources": ["Web proxy"], "description": "Spots a peak of malicious threat detection by Zscaler ZIA", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "dfea5bf5-9c18-4064-af93-840ec8dbd1e0", "name": "Jumpcloud Api Key Updated", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "An API Token has been updated on Jumplcoud portal.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "447316a3-4614-4f2a-97b7-556c9ccfc076", "name": "Microsoft 365 Email Forwarding To Privacy Email Address", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (most common privacy email services).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "581e649b-e4b0-4e2a-8264-387049500920", "name": "Okta Unauthorized Access to App", "effort": "master", "data_sources": ["Authentication logs"], "description": "An user tries to access an unauthorized application.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "812cabf9-eefc-471a-89d5-35690f55aad1", "name": "Okta Network Zone Modified", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "89428c24-f126-4bea-b337-0bc97aadccf9", "name": "Google Workspace MFA changed", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when the settings for the MFA are modified.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "28aed613-fe39-4460-a6b0-30e27cc24042", "name": "Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Low or Informational severity alert triggered an automated investigation, and remediation actions need to be approved or conducted. Low and Informational alerts include when an email is reported by a user, or when a malicious email is removed after delivery.", "attack": ["initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "075aee9c-4dfe-4577-a75a-85dacd7f5703", "name": "Okta Policy Rule Modified or Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when an Okta Policy Rule is Modified or Deleted.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Okta"]}, {"uuid": "a5d1ad65-5930-478f-bf60-f46b54d4b5bf", "name": "WAF Block Rule", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detects when one of WAF rule blocked an HTTP request. This rule often needs fine tuning according to the environment.", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Ubika WAAP Gateway", "Fastly Next-Gen WAF Alerts", "AWS WAF", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Imperva WAF", "Azure Front Door", "Cloudflare WAF events", "Akamai WAF", "F5 Distributed Cloud", "Palo Alto NGFW", "Forcepoint Next-Generation Firewall", "Sophos Firewall", "OGO WAF", "Kaspersky Endpoint Security", "Jumpcloud Directory Insights", "Elastic Winlogbeat"]}, {"uuid": "5ffbb915-52ac-4c92-a3ff-9d59948bf2e8", "name": "Okta User Account Created", "effort": "master", "data_sources": ["Authentication logs"], "description": "A user account has been created in Okta.", "attack": ["persistence - Create Account (T1136)"], "intake-formats": ["Okta"]}, {"uuid": "fb75b30e-f2ca-4f98-9910-f257578f2eb3", "name": "Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure", "effort": "master", "data_sources": ["Application logs", "Authentication logs"], "description": "Detects self-service password reset in failure for various reasons (except licence or policy ones)", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": []}, {"uuid": "3fdb7fa9-18c3-487a-b6cb-19bc9f035458", "name": "Microsoft 365 (Office 365) Potential Ransomware Activity Detected", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "d65a53d5-d578-472d-959e-1b2d4aad4963", "name": "Login Brute-Force Successful On Jumpcloud Workstation", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Jumpcloud monitored workstations (windows, linux, mac) and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": []}, {"uuid": "69faf034-e2ee-4c2b-94c9-4af5e3b110e8", "name": "Microsoft 365 Security and Compliance Center High Severity Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "A security or compliance-related alert of high severity was raised, based on the policies of the tenant. This rule can be very noisy depending on the configuration of the tenant. Alert filters are likely required. In addition, most alerts don't include any context, and are only useful if the analysts have access to the Microsoft portals to investigate.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "eb6b30af-c032-4678-a3c2-8c91a539ba42", "name": "Microsoft 365 (Office 365) Malware Filter Policy Removed", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a malware policy has been deleted in Microsoft 365 (Office 365). A malware filter policy is used to alert administrators that an internal user sent a message that contained malware.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "7c196e24-8e50-4b1b-975f-edf08cd95cb6", "name": "Microsoft Entra ID (Azure AD) Password Spray", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "4451d02e-deba-4af4-9aee-d92e0379d3f3", "name": "Entra ID Consent Attempt to Suspicious OAuth Application", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects an attempt to authorize account access to an OAuth application commonly used in business email compromise (BEC) attacks. Investigate the source IP address: unusual countries, RDP hosts and VPN providers are likely indicators of malicious activity.", "attack": ["collection - Remote Email Collection (T1114.002)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "12d168ad-9a14-44b3-adbe-0d257c10f156", "name": "AWS CloudTrail Disable MFA", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects a user disabling the multi factor authentication mechanism for its account. It could be a sign of malicious activity.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d9fe0599-253a-49a2-b9df-7f41b8e27613", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Tycoon 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "616298a7-72e5-44f2-8c46-2d18cd142d65", "name": "AWS CloudTrail IAM DeleteSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user deletes a SAML provider, which could be performed by attackers to cover their tracks.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "07936b58-87bc-44f6-9d3f-028c54e3e565", "name": "Microsoft Defender for Office 365 High Severity AIR Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a High severity alert triggers an automated investigation, such as when a potentially malicious URL click was detected, or when a user is restricted from sending email.", "attack": ["resource-development - Compromise Accounts (T1586)", "resource-development - Email Accounts (T1586.002)", "initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "8bc4144a-14fd-4c9f-ba40-7085d4642057", "name": "Okta Phishing Detection with FastPass Origin Check", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Okta's FastPass prevents known phishing sites.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Okta"]}, {"uuid": "06965b3c-4456-4a70-8d2a-1acf231fd9f2", "name": "Correlation Jumpcloud User Logged In From Multiple Countries", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events from multiple countries on Jumpcloud portal.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": []}, {"uuid": "dc901edb-447c-4433-a651-6f4225c3c735", "name": "Password Reset Error Brute-Force On AzureAD", "effort": "intermediate", "data_sources": ["Authentication logs", "Azure activity logs"], "description": "A reset of password has failed on Azure Active Directory, 5 times within the same entity.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "29dc52b3-a88f-4766-9fe3-89aa51cde3ce", "name": "Google Cloud Audit Logs Application Authorized", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an application is authorized to access a Google user account. An exception is currently made for GMAIL because of the large number of hits.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "0eedbee0-5344-4c0f-b25e-a49adab99b90", "name": "AWS CloudTrail IAM DeleteOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the deletion of an IAM entity to describe an identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "ec868df0-4008-4ca7-8c2c-fd1caaba0e96", "name": "Microsoft 365 (Office 365) MCAS New Country", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies a sign-in from a country where it has never connected. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "c4521529-9b6f-4c3f-8e3f-022e34ce1262", "name": "Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "A user has attempted to login several times (brute-force) on AzureAD and failed every time, all from the same source IP address and in a timerange of 5 minutes.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "6d0ee04c-801f-4665-8e97-f4f8eef4bf83", "name": "GitHub Delete Action", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects a Delete/Destroy action in GitHub audit logs.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "b79476d2-2145-446a-8f7c-9ed203269853", "name": "Microsoft Entra ID (Azure AD) Token Issuer Anomaly", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that The SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "40e9543e-03a2-4ccf-a4c7-d047bae5ceba", "name": "Mimecast Email Security Spam Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects when a spam has been detected by Mimecast and was not denied.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "f4b3a101-337d-4e6f-8531-07a41fd2c97f", "name": "Okta User Impersonation Access", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "attack": ["privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Okta"]}, {"uuid": "14e75730-c79b-4416-a503-6f7c30757053", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit HoneySecurity / HoneyStorm.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "702d6b88-fc80-41dd-93f2-b67d61b72479", "name": "Google Workspace Password Change", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a password is changed. An attacker can perform this action to impact the availability of the account.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "83e4edae-4c8a-47fb-8f74-9087b889e5a9", "name": "AWS CloudTrail Config Disable Channel/Recorder", "effort": "elementary", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects AWS Config Service disabling channel or recorder", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "e5a9528e-bd74-4f78-88a2-f24786c428db", "name": "AWS CloudTrail EventBridge Rule Disabled Or Deleted", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is trying to evade defenses by deleting or disabling EventBridge rules", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "f177e556-ca5a-4953-a4d6-a2fc75054603", "name": "Okta API Token revoked", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "A new API Token has been deleted on Okta SSO.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Okta"]}, {"uuid": "3da65917-8be8-45e4-864a-e7e91ab00c0a", "name": "Google Workspace Admin Modification", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is modified.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "a19df6fa-768e-449d-a97e-41d137ad0a38", "name": "AWS CloudTrail EC2 Subnet Deleted", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is destroying an EC2 subnet.", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "f5485133-ff25-4d25-aef8-6e9d797e4ea2", "name": "Bitsight SPM Severe Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a severe vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "3e33325c-31ac-458c-a9e3-ce07023db017", "name": "Google Cloud Audit Logs Drive Ownership Transferred", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when Drive/Docs user files ownership is transferred. The legit use case is when a user is being removed, but this could also be abused by an attacker for exfiltration.", "attack": ["exfiltration - Transfer Data to Cloud Account (T1537)"], "intake-formats": []}, {"uuid": "ccaac5a8-a84a-4a80-bf87-82a6fa7223e8", "name": "AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the addition of a Client ID to an existing identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "bb232ace-139a-43f9-9b5d-f54102b8ae2e", "name": "Microsoft Entra ID (Azure AD) Abnormal Token", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "ec9a2626-beca-42c9-bca7-0921ae3f56cc", "name": "AWS CloudTrail Root ConsoleLogin", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects a login with a root account on AWS portal. It is a best practice to avoid root account usage for daily tasks and to create an IAM admin user.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9208ad44-5f90-4008-8df2-4aec7754ea9d", "name": "AWS CloudTrail EC2 VM Export Failure", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects attempt to export an AWS EC2 instance. A VM Export might indicate an attempt to extract information from an instance.", "attack": ["collection - Data from Local System (T1005)", "exfiltration - Transfer Data to Cloud Account (T1537)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "cf0ba775-0ba7-400e-ab8b-981e78adf139", "name": "Google Workspace Login Brute-Force", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a user failed to login multiple times before a successful login.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "5981c962-760b-474d-814a-d7197a43bbe5", "name": "SecurityScorecard Vulnerability Assessment Scanner New Issues", "effort": "master", "data_sources": ["Application logs"], "description": "Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["SecurityScorecard Vulnerability Assessment Scanner"]}, {"uuid": "28f31550-2834-4afe-a432-688f3fd4d9e5", "name": "AWS CloudTrail IAM Password Policy Updated", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects an update to the password policy. This could be an attempt to lower accounts security level.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "5dddb77c-da3a-4430-9ff1-143f2c329c2a", "name": "AWS CloudTrail EC2 CreateVPC", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a VPC is created.", "attack": ["defense-impairment - Create Cloud Instance (T1578.002)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "e98a6afe-ac53-4d8f-b06e-8ae8c7d2d38b", "name": "Google Workspace Domain Delegation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a domain delegation is granted.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "34e75117-a852-45a9-891a-46738d6b0e66", "name": "Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "An IP address performed several failed logins on multiple users to then have a successful login on one of them. Note that even if the sign-in was blocked by MFA (error 50074/50076/50158) or conditional access (error 50097/53003), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "16113193-d20e-4e77-a70f-8731444641dc", "name": "Microsoft Entra ID (Azure AD) Impossible Travel", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "f0ce355f-714f-4128-8148-28cc6651975b", "name": "Zscaler ZIA Malicious Threat", "effort": "master", "data_sources": ["Web proxy"], "description": "Zscaler Internet Access has detected a network traffic as malicious", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Zscaler Internet Access"]}, {"uuid": "266b87e8-7a09-43f2-8e79-c7139c7a0a0e", "name": "AWS CloudTrail Route 53 Domain Transfer Attempt", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a request in success or failure is made to transfer a domain name to an other AWS account", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "bb894761-3c10-4372-a619-8fdac09d0411", "name": "Microsoft Entra ID (Azure AD) Suspicious Browser", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies suspicious sign-in activity across multiple tenants from different countries in the same browser. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "5b5c609b-c197-41e2-a7ba-be795acb7f11", "name": "Sign-In Via Known AiTM Phishing Kit", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Palo Alto Prisma access", "WatchGuard Firebox", "FreeRADIUS", "GraphAPI for Microsoft Entra ID / Azure AD", "Google Workspace / ChromeOS", "Cato Networks SASE", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "Fortinet FortiWeb", "MokN - Baits", "Microsoft Entra ID / Azure AD", "Wiz Audit Logs", "Fortinet FortiMail", "Zscaler Internet Access", "Palo Alto NGFW", "Microsoft 365 / Office 365", "Netskope", "Cloudflare Access Requests", "Cisco Duo Security"]}, {"uuid": "2fa62b41-cfc8-42b0-aef0-e9bc1448004a", "name": "Varonis Many Accounts Disabled", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of account disabled.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "d401eccc-9508-4eb5-9539-c2f9f366ac63", "name": "AWS CloudTrail IAM CreateSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user creates a SAML provider, which could allow third-party connection and therefore could be used by attackers.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9de0e071-91ef-45ee-a895-1b833858aca3", "name": "Microsoft 365 (Office 365) Mass Download By A Single User", "effort": "master", "data_sources": ["Anti-virus"], "description": "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "9fe79727-64ab-46a6-983a-97ef473bca82", "name": "Cloudflare WAF Correlation Alerts", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple alerts (more than 5) triggered by the same source by Cloudflare detection rules", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Cloudflare HTTP requests"]}, {"uuid": "b61c9834-b0eb-424e-b3a9-0653872df4d9", "name": "Microsoft Entra ID (Azure AD) MFA Method Change", "effort": "master", "data_sources": ["Azure activity logs"], "description": "This rule detects when an user makes a change to the multifactor authentication methods for their account. In environments where this rule is too noisy, alert filters should be applied, e.g. to focus on privileged accounts, or unusual source network locations.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "8a0cef5a-c899-41f4-8532-474c0bf64e10", "name": "WAF Correlation Block actions", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple block actions (more than 30) triggered by the same source by WAF detection rules", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Sophos Firewall", "Gatewatcher AionIQ v102", "Bitdefender GravityZone", "F5 Distributed Cloud", "Palo Alto Prisma access", "Palo Alto NGFW", "Ubika WAAP Gateway", "Imperva WAF", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "AWS WAF", "Cloudflare WAF events", "OGO WAF", "Jumpcloud Directory Insights", "Elastic Winlogbeat"]}, {"uuid": "b8520ae3-b5e0-4172-ab2d-b0bef666d661", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Greatness.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "17abe9fb-a9aa-4468-9048-8e5d2d55ee3e", "name": "Sekoia.io EICAR Detection", "effort": "master", "data_sources": ["Process monitoring", "Web logs"], "description": "Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "9995ef80-7d28-445c-b147-1199b95330e9", "name": "GitHub High Risk Configuration Disabled", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects a configuration being disabled in GitHub. It detects only configuration judged as highly risky if disabled. An organization should adapt this rule according to its environment.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "4c0d67c1-3dc4-4d44-9fc0-ab13cdc2dba1", "name": "Microsoft 365 (Office 365) Safelinks Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a safelink rule has been deleted in Microsoft 365 (Office 365). Safe Links is a feature in Defender for Microsoft 365 (Office 365) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "64e945f5-930a-40c8-b7ae-a3ddaae78171", "name": "Google Cloud Audit Logs Application Added", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when an application is added to Google Workspace Domain. This should be an expected change made by an administrator and need to be checked.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "9a0333c6-e022-482c-9c38-13bf6ab2335b", "name": "Okta Suspicious Use of a Session Cookie", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": []}, {"uuid": "eeb8d983-81df-4e23-95a1-9b67a9701364", "name": "AWS CloudTrail IAM UpdateSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user updates a SAML provider. Attackers could perform that to be stealthy by adding a third-party connection into an existing SAML provider.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b9bfdaa1-1e39-40d2-8a2e-b5813875b79d", "name": "AWS CloudTrail GuardDuty Detector Suspended", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects the suspension of the GuardDuty service", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "7205aead-a9c5-4912-b827-76507f0030f2", "name": "AWS CloudTrail EC2 DeleteKeyPair", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a specific key pair is deleted. This means the public key was removed from EC2.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "663ba461-95cd-40a4-be49-f1a7d7776314", "name": "Microsoft Defender for Office 365 Medium Severity AIR Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Medium severity alert triggers an automated investigation, such as when suspicious email sending patterns are detected from an account.", "attack": ["resource-development - Compromise Accounts (T1586)", "resource-development - Email Accounts (T1586.002)", "initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "8eacf827-1db3-4a0d-ab10-1283c6b28b99", "name": "AWS CloudTrail Remove Flow logs", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is removing Flow Logs to cover their tracks", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Disable or Modify Cloud Logs (T1562.008)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9d1f1412-5b8c-4744-910f-51ca727ad68f", "name": "Google Workspace Account Warning", "effort": "elementary", "data_sources": ["GCP audit logs"], "description": "Detects a suspicious login, leaked password, or account disabled following suspicious activity.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "040ec2b1-b41b-4dfc-a9fc-d71fd90cd30c", "name": "Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects the implementation of a MailBoxAuditBypassAssociation option in Microsoft 365 (Office 365). This option is used when you configure a user or computer account to bypass mailbox audit logging, access or actions taken by the user or computer account to any mailbox isn't logged.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "039d0efd-7d82-4cd7-8252-3ff6de4076df", "name": "Password Change Brute-Force On AzureAD", "effort": "intermediate", "data_sources": ["Authentication logs", "Azure activity logs"], "description": "A change of password has failed on Azure Active Directory, 5 times for the same user", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "511df255-fb1a-4a91-bf21-0a39fe99005f", "name": "Varonis Massive Dowloads By A Single User", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of File dowloaded by a single user.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "53dc15d0-5b9e-4997-b709-fc936283fc5a", "name": "Google Workspace User Suspended", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "defed353-d2e8-4171-9abb-bb43f84e59c5", "name": "Google Cloud Audit Logs 2FA Disabled", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify the 2FA deactivation for a user account.", "attack": ["credential-access - Unsecured Credentials (T1552)"], "intake-formats": []}, {"uuid": "04e1345a-e0f1-4c53-8af7-54a128affa52", "name": "AWS CloudTrail GuardDuty Disruption", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "6e7f91bf-ee3f-41ec-807a-e474336a8b52", "name": "AWS CloudTrail IAM Failed User Creation", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects an attemp to create a user account where the result is an explicit denied.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "aefba8bf-0365-4030-8cec-2742e616a60e", "name": "Okta Application modified", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "An application has been updated on Okta SSO.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "e62e52e4-31a2-494a-8d4a-d84dc84ae6b0", "name": "AWS CloudTrail KMS CMK Key Deleted", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a CMK is deleted or scheduled for deletion", "attack": ["stealth - File Deletion (T1070.004)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "dc30a4b1-9340-460c-a9b8-5587017ea395", "name": "Okta User Logged In From Multiple Countries", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events from multiple countries.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": ["Okta"]}, {"uuid": "870fdc2e-9364-4537-88e9-be116da3933e", "name": "GitHub Outside Collaborator Detected", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects an outside collaborator being removed or having its permissions changed.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "d9667cd2-8240-4d26-a02a-56adb37bc6bc", "name": "Microsoft 365 (Office 365) Malware Filter Rule Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a malware filter rule has been deleted in Microsoft 365 (Office 365). The malware filter rule specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "9d2ed8be-c714-4604-93ba-0f13a30ff35b", "name": "Google Workspace User Deletion", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an user is deleted.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "d01267c2-3c32-4c7a-a6aa-52e3c3d7008d", "name": "Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Low or Informational severity alert triggered an automated investigation, and remediation was conducted automatically. Low and Informational alerts include when an email is reported by a user, or when a malicious email is removed after delivery.", "attack": ["initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "46961b65-e47f-41db-959a-ea612270d46d", "name": "AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is pushing an SSH Public Key to an EC2 instance. Then he can establish a serial connection to the console using SSH.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "532f1fed-e644-42f9-9b6b-89bbee429f06", "name": "Veeam Backup & Replication Malware Detection", "effort": "master", "data_sources": ["Application logs"], "description": "Veeam Backup & Replication has detected some malware related activity", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": []}, {"uuid": "81adec32-2606-4092-93d9-a84b42d2cf20", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Rockstar 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "9265fe9f-ffca-4f65-a14e-a87ac62f47b2", "name": "Okta API Token created", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "A new API Token has been created on Okta SSO.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Okta"]}, {"uuid": "62468573-5611-423a-b28e-56f55b0e948c", "name": "Login Brute-Force Successful On Okta", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Okta and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Okta"]}, {"uuid": "0d1e16c5-1dc0-4241-bc0a-c5e0b0414d96", "name": "AWS CloudTrail RDS Change Master Password", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "File monitoring"], "description": "Detects the change of database master password. It may be a part of data exfiltration.", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "65a6a2d8-84f9-49d3-bbc4-ae8dcd8fca40", "name": "Entra ID Password Compromised Via Seamless SSO Credential Testing", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Detects a sign-in using the Entra ID Seamless SSO `usernamemixed` endpoint. This endpoint is rarely used legitimately, and often abused by credential testing tools. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "8dc3c9ab-51d8-4ce9-8771-4007db09c8e6", "name": "Microsoft 365 Security and Compliance Center Medium Severity Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "A security or compliance-related alert of medium severity was raised, based on the policies of the tenant. This rule can be very noisy depending on the configuration of the tenant. Alert filters are likely required. In addition, most alerts don't include any context, and are only useful if the analysts have access to the Microsoft portals to investigate.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "a7c1c8ff-5b38-48d1-b536-4e6a177ce098", "name": "Microsoft Intune Non-Compliant Device", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects Microsoft Intune reporting a device in a non-compliant state. This can indicate either a misconfiguration in Intune or a change of configuration on said device.", "attack": ["defense-impairment - Subvert Trust Controls (T1553)"], "intake-formats": ["Microsoft Intune"]}, {"uuid": "b0e3d634-b04a-4e32-b1ce-4d16b92c835f", "name": "WAF Correlation Block Multiple Destinations", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple block actions (more than 10) by the Web Application Firewall (WAF) triggered by the same source to mutliple destinations", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Palo Alto Prisma access", "Palo Alto NGFW"]}, {"uuid": "77f20fb0-a7be-480b-a6ae-f8a4cc670de4", "name": "Okta Admin Privilege Granted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Administrator privilege granted to an user or account. This can be privilege escalation, persistance over system or account takedown.", "attack": ["privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Okta"]}, {"uuid": "07050c26-0b86-4538-9f48-f0383fdac76f", "name": "Okta Application deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "An application has been delete on Okta SSO.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "b39834d4-e1e4-4b75-bbba-ff898c3cc52a", "name": "Bitsight SPM Minor Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a minor vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "8bd976c0-55c0-41d9-86f3-864c5f9ff48b", "name": "Microsoft Entra ID (Azure AD) Leaked Credentials", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies that the user's valid credentials have been leaked. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "ecae3c71-2d85-4150-a952-cee547e15913", "name": "Google Workspace User Creation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a new user is created.", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "333f6e95-0770-4ea6-a049-3c01dbc72a58", "name": "Microsoft Intune Policy Change", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects edits, deletions or creations made to an organization Microsoft Intune policies.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Intune"]}, {"uuid": "f5f5f437-faf4-4183-9740-52360a1f96eb", "name": "Cisco ESA Suspicious Email With Attachment", "effort": "advanced", "data_sources": ["Email gateway"], "description": "Detects an email with an attachment, from a sender tagged as suspect, detected by either the Antivirus or the Advanced Malware Protection (AMP) engine and delivered to the recipient", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": []}, {"uuid": "cb776388-c301-4f77-94af-865dc4d7cd5c", "name": "Microsoft Entra ID (Azure AD) Domain Trust Modification", "effort": "elementary", "data_sources": ["Azure activity logs"], "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Confirm the added or modified target domain/URL is legitimate administrator behavior.", "attack": ["privilege-escalation - Trust Modification (T1484.002)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "c1aaf00e-1f68-4835-85c2-6a5b3d495235", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit CEPHAS 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "bd6d36e7-71eb-45f0-a5a7-888d882510fc", "name": "Microsoft Entra ID (Azure AD) Threat Intelligence", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "f26c7221-b6e8-4c3b-8b35-2aabab97445a", "name": "AWS Persistence By Creating KeyPair And SecurityGroup", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Attackers can use AWS credentials to create a KeyPair and a SecurityGroup to have continuous access to the AWS account.", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "1c5095af-65a4-4b69-bb61-cc092a482ea9", "name": "Login Brute-Force On Sekoia.io", "effort": "intermediate", "data_sources": ["Authentication logs", "Web logs"], "description": "Detects successful access to Sekoia.io after several failure.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "84ef2ee8-0412-4838-a312-e1cfed34ed12", "name": "Microsoft 365 (Office 365) AtpDetection", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when an AtpDetection (Advanced Threat Protection) event from the Office365 ThreatIntelligence service is raised. AtpDetection is a service which secures emails, attachments, and files by scanning them for threats.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "705e7488-60a2-4613-b398-d546fa64528e", "name": "Microsoft 365 (Office 365) Malware Uploaded On OneDrive", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft 365 (Office 365) identifies a malicious file uploaded to OneDrive. Attackers can use this method to propagate through the network.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "cacac10f-f70d-4395-8b24-61aa4ec21024", "name": "Google Cloud Audit Logs Email Forwarding", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when an out of domain email forwarding is enabled on Google Cloud.", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": []}, {"uuid": "ee7abe17-1a27-4ebc-bc81-e5cbc64652ab", "name": "Microsoft 365 (Office 365) DLP Policy Removed", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a DLP (Data Loss Prevention) policy is removed in Microsoft 365 (Office 365). DLP policies defines which resources can be shared and with whom, preventing sensitive information from being leaked.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "386e570d-ef94-4f9b-9e60-37c9d4915bbe", "name": "Okta Suspicious Activity Reported", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "e58b7fb4-0468-4852-8ad7-e69a63cc45f7", "name": "Okta Network Zone Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "0d8bdb95-ab31-419f-b3f3-9fa68a1ce4ef", "name": "Microsoft Entra ID (Azure AD) Anonymous IP", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins from a risky IP address, for example, using an anonymous browser or VPN. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "927c0cee-7f36-43b3-b2a5-4cc98cb152ef", "name": "Microsoft 365 (Office 365) MCAS Repeated Delete", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a user has deleted an unusually large volume of files. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "22da2125-5aa7-4739-a247-2ec8626240d0", "name": "AWS CloudTrail S3 Bucket Replication", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects a replication rule being enable for a given S3 bucket: it could provide an attacker a way to exfiltrate data.", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b5467da4-ffa0-4d84-bd8e-08af48b8779d", "name": "Okta Access To Admin Console Denied", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when an attempt was made to access the Okta Admin Console from an interactive user account but failed.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "855ab5ba-b2d1-4507-8c61-7095d9ff1801", "name": "AWS CloudTrail ECS Cluster Deleted", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is destroying an AWS ECS Cluster", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)", "impact - Data Destruction (T1485)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "20decb09-128e-4c44-8327-7c5e5ce398c0", "name": "Google Workspace App Script Scheduled Task", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a scheduled task is launched by Google App Script. This product is used to create scripts and integrate applications within Google Workspace.", "attack": ["privilege-escalation - Scheduled Task/Job (T1053)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "442b24d1-b252-4376-8694-5469f3aab2c7", "name": "Google Cloud Audit Logs Attack Warning", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify an attack warning such as the famous \"Government-backed attack\".", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "dfaadb61-a377-49df-a6bc-51e7b6c8bf86", "name": "Microsoft Entra ID (Azure AD) Suspicious IP", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a suspicious IP address. An IP address is considered suspicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "fa830da5-3fe9-4fa7-8548-5a916346cf65", "name": "Zscaler ZIA Suspicious Threat Outbreak", "effort": "master", "data_sources": ["Web proxy"], "description": "Spots a peak of malicious threat detection by Zscaler ZIA", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "10df500b-714a-469b-810a-76bdc0da5f5e", "name": "Bitsight SPM Material Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a material vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "a0829df9-7790-4041-a617-001f40966d40", "name": "Microsoft 365 (Office 365) Safe Attachment Rule Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when the safe attachment rule has been deleted in Microsoft 365 (Office 365). Safe Attachments is a feature in Microsoft Defender for Microsoft 365 (Office 365) that opens email attachments in a special hypervisor environment to detect malicious activity.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "3f839059-676f-41c9-9297-aa8ec3670841", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "47f618bc-fda5-4ebb-bf6b-ff5762feb8e2", "name": "AWS CloudTrail Route 53 Domain Transfer Lock Disabled", "effort": "elementary", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when the transfer lock feature is disabled on a domain name handled by AWS Route 53 service.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d7374e7c-1faa-4327-bad3-78a27064839d", "name": "Okta Security Threat Detected", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when a security threat is detected in Okta.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Okta"]}, {"uuid": "91e35f85-ca28-4024-b543-50ca5bf4f6af", "name": "AWS Suspicious Discovery Commands", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Attackers often use discovery commands such as DescribeInstances or DescribeSecurityGroups, and many others, to find how an AWS tenant is configured.", "attack": ["discovery - Cloud Infrastructure Discovery (T1580)", "discovery - Cloud Service Discovery (T1526)", "discovery - Cloud Storage Object Discovery (T1619)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "0ebfdb60-3eba-4f2b-9509-3cec58b1d4fa", "name": "GitHub Dependabot Or Vulnerability Alerts Disabled", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects dependabot or vulnerability alerts being disabled. Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "2c86166a-31ba-430b-8d7f-671bb9009a95", "name": "Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "6922fa37-8879-4ecf-8722-ddeaf084b8a7", "name": "Microsoft 365 (Office 365) MCAS Detection Velocity", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "a00512d4-0e9f-43ee-bef9-05d327d8632d", "name": "Microsoft 365 (Office 365) MCAS Risky IP", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies sign-ins from a risky IP address, for example, using an anonymous browser or VPN. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "f1d1d368-fed5-4e97-94e9-862bdb3d38c3", "name": "AWS CloudTrail RDS DB Cluster/Instance Deleted", "effort": "advanced", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when an attacker is destroying a RDS Cluster or Instance", "attack": ["impact - Data Destruction (T1485)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "17b4526e-145a-4c2f-a246-dc8e2160d2d9", "name": "AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2", "effort": "elementary", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when AWS CloudTrail detected an AWS Access Key that was compromised, and then quarantined by AWS. This could indicate for instance that the private key was found on a GitHub public repository.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9a48acdb-54c9-4f84-8f71-499b58c3ebbe", "name": "Google Workspace Admin Creation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is created or when his role is changed.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "3a911dd8-9c46-47b5-965b-17244558bbb0", "name": "Google Workspace Bypass 2FA", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when user tries to bypass the 2FA.", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "0694f03f-bd58-4a63-ad3e-20597f865490", "name": "Microsoft 365 Email Forwarding To Consumer Email Address", "effort": "intermediate", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (most common consumer email services).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "110ae745-e4df-4b5c-87e8-e330efebc69e", "name": "Jumpcloud Account Locked", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A user has been locked on Jumpcloud portal.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "6bcb7467-becb-4c45-b243-dad5aac5d550", "name": "Okta Many Passwords Reset Attempt", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "This rule identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "ce6c23a6-bbf0-4983-bbd4-b0f741f00c59", "name": "Login Brute-Force Successful On AzureAD From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "A user has attempted to login several times (brute-force) on AzureAD and succeeded to login, all from the same source IP address and in a timerange of 5 minutes.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "23aa0dcf-8071-4038-8817-303bd5590a7a", "name": "Okta MFA Disabled", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A MFA has beed disabled in Okta SSO. This is a common behavior to gain permanent access over a system.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Okta"]}, {"uuid": "f0da5b1b-4853-4aab-a3ed-24d0c270827a", "name": "Google Workspace Blocked Sender", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a user is blocked by google workspace.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "014a0531-10e2-48e7-a46b-9ee7e95da073", "name": "Bitsight SPM Moderate Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a moderate vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "18860017-fdfa-4a94-b913-ffa6d339bcb7", "name": "Login Brute-Force Successful On Jumpcloud Portal", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Jumpcloud Portal and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Palo Alto Prisma access", "Rubycat PROVE IT", "CyberArk Digital Vault", "Palo Alto NGFW", "F5 BIG-IP", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b87c67e0-7896-4264-a1ba-ffbbb398706c", "name": "AWS CloudTrail RDS Public DB Restore", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "File monitoring"], "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "8bca9464-72fa-4f49-9905-79f498892d2d", "name": "AWS CloudTrail Important Change", "effort": "advanced", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects disabling, deleting and updating of a Trail source which could be done by some attackers trying to masquerade their activity.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "29d25794-e7e3-4988-87a7-7918ce3c4dbb", "name": "AWS CloudTrail GuardDuty Detector Deleted", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when an attacker is trying to evade defenses by deleting a GuardDuty detector", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b9a68264-9edf-4afc-afae-1b90542b92f3", "name": "AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a Client ID is removed from an identity provider that supports OpenID Connect. Could be used by attackers for sabotage or to cover their tracks.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "45e34544-318d-4b72-bf86-57a803c618fc", "name": "AWS CloudTrail IAM ChangePassword", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user wants to change its password.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d64cf1a5-efa4-4780-998f-e475b307bedc", "name": "Microsoft 365 Sign-in With No User Agent", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "3a9e3a24-d87b-45b6-ad28-056318849655", "name": "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses", "effort": "intermediate", "data_sources": ["Office 365 account logs"], "description": "Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "41658b1d-e33d-4e67-8eab-2cad73d0e101", "name": "Varonis Many File Created and Deleted", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of file created and deleted on the same host. It is a typical ransomware behavior.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "b22b2c38-9cad-45d6-9b56-d3ad3afda6af", "name": "Google Cloud Audit Logs Custom Gmail Route", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a custom Gmail route is added or modified. This could be abused by attackers to exfiltrate data.", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": []}, {"uuid": "d7d45cd6-c4f5-4e7b-ae75-f3f785092131", "name": "Microsoft Entra ID (Azure AD) Unfamiliar Features", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins with characteristics that deviate from past sign-in properties. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "fe43cc23-9144-436c-8b6b-b3f5ea08ccfa", "name": "Google Workspace Email Forwarding", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a user enables email forwarding out of the domain", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "d3af04ae-74b5-47cc-a2b4-87e4a22d1d9d", "name": "Microsoft 365 Device Code Authentication", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Authentication via a device code is designed for use with input constrained devices. This method can however be abused, particularly in social engineering attacks. Whitelisting based on the organisation's practices is likely required to make this rule useful (e.g. excluding the public IP ranges of the organisation, excluding authentications attempt from managed devices, etc.). Note: if you collect Entra ID SignInLogs, the rule \"Microsoft Entra ID (Azure AD) Device Code Authentication\" is a better equivalent to this rule.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "06e7bdb0-4bc2-409e-9165-9513f14ce1e6", "name": "Suspicious Activity Using Quick Assist", "effort": "elementary", "data_sources": ["Office 365 account logs"], "description": "Detects when a chat is created (abusing Quick Assist feature) with a user external to the domain, which has been observed as a some phishing attemp by ransomware groups.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": []}, {"uuid": "6d9f16f3-10bd-4ca3-b9b8-9713338c827c", "name": "AWS CloudTrail Config DeleteConfigurationRecorder", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when the Configuration Recorder was deleted. The configuration recorder is used to detect changes in your resource configurations and capture these changes as configuration items.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9dd01ce8-9e68-4081-9802-9367939bc889", "name": "AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the update of a ThumbPrint from an identity provider that supports OpenID Connect. This could be a sign of an attacker adding a trusted certificate.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d5d523cb-05bd-4bf7-9e6b-e4413ab89092", "name": "Microsoft Entra ID (Azure AD) Malicious IP", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "c203de71-9400-46b6-98de-0cf2a6cae93e", "name": "Microsoft 365 (Office 365) Malware Uploaded On SharePoint", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft 365 (Office 365) identifies a malicious file uploaded to SharePoint. Attackers can use this method to propagate through the network.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "e290a62a-814b-4377-82b8-c037d46bb36a", "name": "Microsoft 365 (Office 365) MCAS Inbox Hiding", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a suspicious inbox rule was set on a user\u2019s inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "73e69718-5a18-4f56-9544-3d21f26ee7aa", "name": "Microsoft Entra ID (Azure AD) Device Code Authentication", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Authentication via a device code is designed for use with input constrained devices. This method can however be abused, particularly in social engineering attacks. Whitelisting based on the organisation's practices is likely required to make this rule useful (e.g. excluding the public IP ranges of the organisation, excluding authentications attempt from managed devices, etc.)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "37716900-c748-40aa-8701-7404809714fe", "name": "Google Workspace Suspicious Login", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a suspicious login reported by google.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "f8d63e1a-dc75-4dc4-b1de-4eee809a3f72", "name": "Microsoft 365 Suspicious Inbox Rule", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Business Email Compromise threat actors often create inbox rules to forward, hide, or delete emails containing sensitive information. This rule detects common caracteristics of malicious inbox rules.", "attack": ["stealth - Email Hiding Rules (T1564.008)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "6e2dd2d4-f602-4a29-af5f-75e7e98c6131", "name": "Microsoft 365 (Office 365) Unusual Volume Of File Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a user has deleted an unusually large volume of files.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "875464a7-7b47-4d83-83a8-ca589aa347e1", "name": "Cloudflare HTTP Requests Rule Block Or Drop", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detects when one of Cloudflare Web Application Firewall (WAF) Managed rule blocked or dropped an HTTP request. It requires only Cloudflare HTTP requests logs.", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Cloudflare HTTP requests"]}, {"uuid": "b3fb4572-21a6-4cce-8265-8b2e5436819e", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Gabagool. The `filter_password_spraying` exclusion corresponds to a password spraying tool which is already detected by the rule `Entra ID Password Compromised By Known Credential Testing Tool`.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "34b7a40b-3440-4c15-ad69-7e9c80a92f60", "name": "Okta Blacklist Manipulations", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when some manipulation are done in blacklist configurations.", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["Okta"]}, {"uuid": "753434e1-1675-4492-90c6-d13ebcb5e07f", "name": "Okta MFA Brute-Force Successful", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Okta and succeeded to login by spamming MFA.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Okta"]}, {"uuid": "da823e97-7f85-4133-b780-363934fba799", "name": "Okta User Account Locked", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "An user has been locked in Okta.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Okta"]}, {"uuid": "f99d848e-cb4c-4276-bcb7-521064bc69f8", "name": "Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "fdb670c5-8d34-4c0f-af21-6edc4387d6d3", "name": "Okta Network Zone Deactivated", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "53b00fd6-5715-44eb-9f67-84d729f65bc8", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with an impossible device shift characteristic of the adversary-in-the-middle phishing kit Sneaky 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "3f3a9bc0-ef29-431e-8a40-40e7d857cb21", "name": "Okta User Logged In Multiple Applications", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events on multiple application.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": ["Okta"]}, {"uuid": "e2afe5f0-8c01-4ce0-b466-a70362804d50", "name": "Okta Policy Modified or Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when an Okta policy is modified or deleted.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Okta"]}, {"uuid": "3cbd3a26-4def-44be-8455-3e18ef67f94c", "name": "Okta Security Threat Configuration Updated", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when the threat configuration has been updated in Okta.", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["Okta"]}, {"uuid": "6ab7c366-eb70-4011-8bfa-79ce3b5c2927", "name": "Google Workspace Anomaly File Downloads", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a large number of file downloads.", "attack": ["execution - User Execution (T1204)"], "intake-formats": []}, {"uuid": "a99acd2f-7c95-4498-a8d3-320fded09943", "name": "Okta User Account Deactivated", "effort": "master", "data_sources": ["Authentication logs"], "description": "A user account has been deactivated in Okta.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "a94b5441-9932-4662-99ed-2d5c404c6f86", "name": "Zscaler ZIA Suspicious Threat", "effort": "master", "data_sources": ["Web proxy"], "description": "Zscaler Internet Access has detected a network traffic as malicious", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Zscaler Internet Access"]}, {"uuid": "25956d53-480b-4e05-9ec3-5389a5bd5bb4", "name": "RSA SecurID Failed Authentification", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects many failed attempts to authenticate followed by a successfull login for a super admin account.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["RSA SecurID"]}, {"uuid": "9952002d-2042-4ef7-b8c5-42c9b55e184b", "name": "AWS CloudTrail IAM CreateOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the creation of an IAM entity to describe an identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "7be9115f-bbd6-40f3-8d5f-b9ecce23ea1e", "name": "AWS CloudTrail EC2 Enable Serial Console Access", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when the EC2 serial console access feature is enabled. This could abused by some attackers to avoid network detection when accessing to EC2 instances.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "4fa216ac-0b38-4bea-b503-bb2f78afa2ce", "name": "GitHub New Organization Member", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects when a member is added or invited to a GitHub organization.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "cfaf562f-d035-4616-8907-38689e7a709c", "name": "Microsoft 365 Authenticated Activity From Tor IP Address", "effort": "advanced", "data_sources": ["Office 365 audit logs"], "description": "Detects authenticated Microsoft 365 activity from an IP address associated with Tor.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "4e45660e-25f2-4aeb-98f0-0cd50753931c", "name": "Google Workspace External Sharing", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a large number of external sharing.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "81d3c834-1b7e-4ba2-83a4-839dcec6a875", "name": "Google Cloud Audit Logs Trusted Domain Added", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when a domain name is added to Google Workspace Trusted Domain. This could be used by an attacker to bypass some security controls or just be a legit admin action.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": []}, {"uuid": "036ebf9a-b92f-42c7-a609-246983d82126", "name": "AWS CloudTrail IAM Policy Changed", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects change on AWS IAM Policy", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "5db515e3-5da7-4c9d-897f-947bcd3ae3f3", "name": "Microsoft 365 (Office 365) MCAS Repeated Failed Login", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies a large number of failed login attempts which may indicate a brute-force attempt. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "ee8d9e10-b168-44d4-a14b-38ee5fcee560", "name": "Microsoft 365 Email Forwarding To Email Address With Rare TLD", "effort": "intermediate", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (less common top-level domain).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "5270ef3e-c2c4-4a8a-9718-f53a9ad501fb", "name": "Microsoft 365 (Office 365) Anti-Phishing Rule Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects the deactivation of the anti-phishing rule from Microsoft 365 (Office 365). The anti-phishing rule specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "3b13033b-908b-4ee9-8560-09414dcff952", "name": "AWS CloudTrail EC2 Startup Script Changed", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.", "attack": ["execution - PowerShell (T1059.001)", "execution - Windows Command Shell (T1059.003)", "execution - Unix Shell (T1059.004)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b4347866-ec0c-441a-bb0d-3e954e404143", "name": "Jumpcloud Policy Modified", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when a Jumpcloud policy is modified.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "c9cd98ce-bf53-47ae-9d1c-6effca12977b", "name": "AWS CloudTrail EC2 Security Group Modified", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an AWS EC2 security group has been modified", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "22bada16-4399-4113-940d-5397cb9b8613", "name": "Entra ID Password Compromised By Known Credential Testing Tool", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in that has a correlation ID known to be used by malicious credential testing scripts. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft Entra ID / Azure AD", "Microsoft 365 / Office 365"]}, {"uuid": "ebc07d97-ea80-4238-8a7f-e3f63ce5edba", "name": "Mimecast Email Security Virus Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects when a virus signature has been detected by Mimecast and was not denied.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "d84d4d16-bfb2-445a-a7ce-438818caf398", "name": "Mimecast Email Security Malicious QRCode Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects a malicious qrcode in an email not denied by Mimecast.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "7afcebb0-1110-436b-bf54-fdd992053836", "name": "Microsoft 365 (Office 365) Anti-Phishing Policy Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when the anti-phishing policy is removed from Microsoft 365 (Office 365). By default, Microsoft 365 (Office 365) includes built-in features that help protect users from phishing attacks. This policy specifies the phishing protections to enable or disable, and the actions to apply options.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "8bf4df86-d940-4bae-a05e-5ad01f32c521", "name": "AWS CloudTrail EC2 CreateKeyPair", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a key pair is created. Usually, SendSSHPublicKey is used afterwards to push the created key to an EC2 instance in order to be able to establish a connection to that instance.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "296d4a04-b489-400a-bae2-371fb6043f7f", "name": "Microsoft Defender XDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "50ba885b-86d8-41ae-ab0d-e62c2410089c", "name": "HarfangLab EDR Critical Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a critical level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bec7b15d-ce83-4541-a6ae-b7f6b673fc2d", "name": "Netskope Web Isolation On Suspicious Domain", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a suspicious domain and triggered web sandboxing (RBI)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "3ac90d58-f204-40e3-9e0a-f012505dc33a", "name": "CrowdStrike Falcon Intrusion Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with medium severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "ced73b74-09e8-4260-8dab-1098a5753391", "name": "CrowdStrike Falcon Mobile Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with critical severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "d63463ba-4ebb-491a-b35d-c405b032aeff", "name": "SentinelOne EDR Threat Detected (Suspicious)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a medium confidence level (suspicious).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "59aca553-6076-42b2-8e00-9a7a0ecbf54e", "name": "CrowdStrike Falcon Intrusion Detection EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with the new EppDetectionSummaryEvent type.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "06ff5006-6e40-411e-8b44-cdbae6972657", "name": "CrowdStrike Falcon Intrusion Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with critical severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "74c7ac45-ee22-424b-8898-6810376c01a3", "name": "AWS GuardDuty High Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a high severity level. A High severity level indicates that the resource in question (an EC2 instance or a set of IAM user sign-in credentials) is compromised and is actively being used for unauthorized purposes.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "9c61ab50-5928-472f-847e-585c2012d6a9", "name": "Advanced Threat Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected an advanced threat from an e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "0d432b2f-e0a1-4d81-bdd6-ef341a09bf9e", "name": "Palo Alto Cortex XDR (EDR) Alert (Critical Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of critical severity (only DETECTED and not SCANNED status).", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "fcdaf7dc-429b-42e4-b4a5-8e36d169e577", "name": "SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a medium confidence level (suspicious) but did not mitigate it. This is all defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "942970ca-8d67-4730-b625-5370d4a3fcb2", "name": "Proofpoint TAP Email Classified As Phishing But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as phishing with a threat score greater than 50 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "e951e5a3-ea71-45e5-bb57-4a06d6a2f50a", "name": "CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with informational severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "750ea1db-da63-4dc4-872d-089155e29d1c", "name": "Darktrace Threat Visualizer Threat Critical Alert", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has raised a threat critical alert related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "4417dd6a-344c-41fe-96ce-4ee1e352221a", "name": "AWS GuardDuty Low Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a low severity level. A low severity level indicates attempted suspicious activity that did not compromise your network, for example, a port scan or a failed intrusion attempt.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "a4bbc0fd-24b6-484d-87df-929ec2ffaa65", "name": "Proofpoint TAP Email Classified As Malware But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as malware with a threat score greater than 0 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "68202697-3994-45b6-8074-89a6f90e4448", "name": "Darktrace Threat Visualizer Model Breach Suspicious Activity", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has detected a network critical activity related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "889ab345-93fe-4779-87ad-bd11ae03204d", "name": "HarfangLab EDR Low Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a low level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f00733ac-3bae-4153-9ed3-1f7d25d0572a", "name": "Trend Micro Cloud One High Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a high severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "bb85d6f6-3391-481a-bafb-00fba96ab57e", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of low severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "6cdb5859-98b4-4831-942e-9f7c6f2853e7", "name": "Varonis Data Security Intrusion Detection Low Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a low severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "df0deb9e-8ba3-483c-adad-c46e7df022b9", "name": "CrowdStrike Falcon Intrusion Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with informational severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "ea2763ad-216b-4741-b89c-e81fa7e96459", "name": "CrowdStrike Falcon Identity Protection Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with informational severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "c0fae1bb-25a2-4323-973b-d123208f76e6", "name": "CrowdStrike Falcon Intrusion Detection High Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with high severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "c0f88b01-038d-4ac8-96bb-ef7183678111", "name": "Gatewatcher AionIQ V103 Shellcode Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a suspicious shellcode is used.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "f8f81a0e-2454-4d76-a6bb-185b671e4e38", "name": "HarfangLab EDR High Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a high level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "30d06740-9e6f-4557-9b71-0ddf6d88e4ae", "name": "HarfangLab EDR Suspicious Process Behavior Has Been Detected", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has detected a suspicious process behavior based on its detection rule. Check the rule name and description for more information.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "fa963edb-a443-455c-87d8-adbeb801956c", "name": "SentinelOne EDR SSO User Added", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SSO User was added.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "ad1858b2-eaf4-473f-9748-80e7fa6933c8", "name": "HarfangLab EDR Hlai Engine Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on its hlai engine", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bf8d4b77-ab6f-4351-8048-3e488c9581ed", "name": "Broadcom/Symantec Endpoint Security Event Terminate", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had a process terminate action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "2ccba683-f116-439e-81d5-204a7e374c7d", "name": "Netskope Admin Audit High Severity", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Audit events detection for admin activites that differ from authentications, with high severity level according to Netskope.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "0473dde6-b47e-4ffa-98ec-6369fee4a841", "name": "Claroty xDome Network Threat Detection Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Claroty xDome has raised an network threat detection alert.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Claroty xDome"]}, {"uuid": "c150a932-7307-4597-a232-3d94d48c3caf", "name": "Datadome Protection Intrusion Detection", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Datadome protection raises an alert linked to intrusion. Datadome is used against fraud and bots.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Datadome Protection"]}, {"uuid": "8f725900-3745-41b3-b14f-a7532b8d02c8", "name": "Varonis Data Security Intrusion Detection Medium Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a medium severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "09b80858-2b75-40b2-907b-94ee090d2dd5", "name": "Sophos EDR Application Blocked", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially malicious application and blocked it.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "0d3d2d64-bdd0-404f-bcf0-3b90773fb500", "name": "Varonis Data Security Network Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a medium severity alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "5895e296-e6ea-4417-9c19-ef8b448d8643", "name": "Trend Micro Apex One Data Loss Prevention Alert", "effort": "master", "data_sources": ["Data loss prevention"], "description": "Trend Micro Apex One has raised an alert for data loss prevention.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "edab49e0-ca83-4255-b636-c6fbd7e4a6da", "name": "CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with medium severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "37485dd1-3e35-44c4-8727-bd818717a1d8", "name": "TEHTRIS EDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Tehtris EDR telemetry has raised an alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["TEHTRIS EDR"]}, {"uuid": "9b39f460-99e6-4f26-8605-e9a9c7ef9259", "name": "Varonis Data Security Network High Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a high severity  alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "20f8da14-4a53-41a2-badd-dadb57d753fc", "name": "Trend Micro Vision One Workbench Low Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a low alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "15bdb80b-b9ec-4919-8bae-f744a5956c20", "name": "Suricata Exploit Kit Activity Detected High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Exploit Kit Activity Detected category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "fdd8add0-5b6b-4474-94ab-cceb33f271fd", "name": "Trend Micro Vision One Workbench high Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a high alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "2ff03058-ce93-4e89-8df3-2a62541ce95a", "name": "CrowdStrike Falcon Identity Protection Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with high severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "55a63b5c-a12b-4e45-abee-1933c31d1c94", "name": "Netskope DLP Alert", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects DLP alerts which are not allowed.  ", "attack": ["collection - Data from Cloud Storage (T1530)", "discovery - File and Directory Discovery (T1083)"], "intake-formats": ["Netskope"]}, {"uuid": "4c19d1fc-802f-439e-9c09-b101ff9d453e", "name": "Suricata Web Application Attack High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Web Application Attack category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "dfb62fa7-c737-4afb-86a3-76a77d772f70", "name": "Spam Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected a spam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "e771572f-efe2-4baa-b60b-75be6f5f2b6a", "name": "Gatewatcher AionIQ Network Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Forward network alerts reported by Gatewatcher AionIQ  ", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ v102"]}, {"uuid": "b3ad008e-410b-47ba-881d-8fffe25e5bbb", "name": "Tenable Identity Exposure / Alsid Critical Severity Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Tenable Identity Exposure / Alsid raised a critical severity alert.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Tenable Identity Exposure / Alsid"]}, {"uuid": "50330470-e076-4741-a52a-1f19137c5412", "name": "Gatewatcher AionIQ V103 Malicious Powershell Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects malicious powershell by Gatewatcher V103.", "attack": ["exfiltration - Scheduled Transfer (T1029)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "01bf03f8-24a7-420a-b677-ab90a76cc467", "name": "Stormshield Ses Emergency Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security block execution with emergency severity", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "01af42c2-e60e-4a38-9d0b-90bdb837535a", "name": "Darktrace Threat Visualizer Threat Suspicious Alert", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has raised a threat suspicious alert related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "65da0041-935e-49c0-9d04-96083b4c8cd1", "name": "Varonis Data Security Network Low Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a low severity alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "0d300416-3108-4fb5-aa07-2b4d7b20a50d", "name": "Stormshield Ses Critical Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security block execution with critical severity", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "a080ed0e-e7db-4883-a84f-7afb9b8e9071", "name": "Lacework Cloud Security High Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a high alert severity is raised by Lacework. This severity level might indicates a suspicious change in configuration or policy violation.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "dde1a236-8f21-4a25-aa7c-5d239463d55c", "name": "CrowdStrike Falcon Intrusion Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with low severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "3518e350-e146-440d-8c81-517fa8d7037b", "name": "Trend Micro Apex One Intrusion Detection Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Trend Micro Apex One has raised an alert for an intrusion detection.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "6cd5326c-c101-4a58-a8f4-5fce748a4f1e", "name": "Tenable Identity Exposure / Alsid High Severity Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Tenable Identity Exposure / Alsid raised an alert.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Tenable Identity Exposure / Alsid"]}, {"uuid": "8f3a7413-4778-47e5-9381-40aac270cd9c", "name": "CrowdStrike Falcon Mobile Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with high severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "521c2752-d48f-4fa3-9c19-bde3b73a2c3f", "name": "Varonis Data Security Email Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Varonis Data Security has raised a medium severity alert related to a supervised email account.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "49ba54f8-0577-4c38-916d-71507dd3cef0", "name": "Bitdefender GravityZone Endpoint Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Bitdefender GravityZone detected a malicious activity on an endpoint", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Bitdefender GravityZone"]}, {"uuid": "32917b10-b86d-45ca-b207-ec33c6222dd2", "name": "Gatewatcher AionIQ V103 Sigflow Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a sigflow alert by Gatewatcher AionIQ V103.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "27e3c11d-b011-465a-81d2-0efe7888e925", "name": "HarfangLab EDR Critical Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a critical level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "d7c26641-31e7-4ff7-bcd5-6f76f07d6f05", "name": "WithSecure Elements Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "WithSecure Elements has several modules. One constant is the severity of a raised event, which can be critical and therefore interesting to look at.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["WithSecure Elements"]}, {"uuid": "3b1b4cd2-36a0-49a6-a79c-19fb4c58971b", "name": "Darktrace Threat Visualizer Model Breach Critical Activity", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has detected a network critical activity related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "a7470e53-1159-4689-9b28-00347885d6d4", "name": "Netskope Malware Patient Zero Detected", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a malware as Patient Zero.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "f50fde58-1c7d-4be2-9830-722bbfa2fdfb", "name": "Sophos EDR CorePUA Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially unwanted application.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "bc59eba3-1b4f-4136-92ab-01830b96c492", "name": "SentinelOne EDR Threat Mitigation Report Kill Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected and killed a threat (usually kills the malicious process), defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "cc0ae2f1-b9f6-4f6d-b2a8-e170e24bc45a", "name": "Gatewatcher AionIQ V103 Network Behavior Analytics", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when network behavior analytics were requested.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "f8f8e12e-4b3d-4086-b10a-6358bc2a8af9", "name": "Trend Micro Vision One Workbench Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a medium alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "4c5d2b6f-e27e-45e9-a687-451bb616ad85", "name": "WIZ Issues Critical Alert Raised", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a critical alert from WIZ Issues is raised.", "attack": ["execution - Cloud Administration Command (T1651)"], "intake-formats": ["Wiz Issues"]}, {"uuid": "593315ce-94ac-4b23-aa37-bae66e98625b", "name": "CrowdStrike Falcon Mobile Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with low severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "b7ef8686-1bef-4733-82c1-211a886f2259", "name": "HarfangLab EDR Low Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a low level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e0a96f3e-cd28-4a62-aa05-9e4fdd2bacdd", "name": "Netskope Malware Detected", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a malware with a high severity (excluding Patient Zero here)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "a8825a11-51a0-46e0-81d5-10c05a2b75dd", "name": "Stormshield Ses Critical Not Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security detect threat with critical severity that was not blocked", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "234efc86-611d-48cd-bc01-57f1d5ee4fc5", "name": "Threat Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected a threat from an e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "8e3bd433-37bc-44d9-8498-e55ea86cf543", "name": "CrowdStrike Falcon Intrusion Detection Low Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with low severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "a69827e8-3537-40a3-9638-f4b10274f750", "name": "SentinelOne EDR Malicious Threat Not Mitigated", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat but did not mitigate it, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "45dd3f4e-b662-419b-8621-8cf4b4bc9ed1", "name": "Lacework Cloud Security Medium Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a medium alert severity is raised by Lacework. This severity level might indicates a suspicious activity such as new source from user connection.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "1e8f2f96-a165-46f8-9ba1-f0c8181cfab8", "name": "Broadcom/Symantec Endpoint Security Event Blocked", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security blocked an action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "3965d9c0-627d-4d6f-923c-7c141c617c98", "name": "WithSecure Elements Warning Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when WithSecure Elements raised an event with a warning (and is not blocked or quarantined).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["WithSecure Elements"]}, {"uuid": "9521deb9-569f-4be6-81ab-da01a381ff52", "name": "SentinelOne EDR Threat Mitigation Report Remediate Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has remediated a threat, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "361f9c26-c095-480b-8f12-17a9ca2daf8b", "name": "Daspren Parad Malicious Behavior", "effort": "master", "data_sources": ["Data loss prevention"], "description": "Detects when Daspren Parad kills a process with a malicious behavior.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Daspren Parad"]}, {"uuid": "4a092989-5fc2-4ec8-86ca-d32b8d5af5d3", "name": "SentinelOne EDR User Failed To Log In To The Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has failed to log in to the management console.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "8dbb9170-1fe5-4d00-a9dc-9f6279671c25", "name": "CrowdStrike Falcon Mobile Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with medium severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "93e51ed6-35f1-47e6-b5c9-c60d390beef3", "name": "SentinelOne EDR Custom Rule Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat related to a Custom Rule and raised an alert for it.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "79ce2c85-5de3-4d55-8818-1b6e2793d8b8", "name": "CrowdStrike Falcon Identity Protection Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with medium severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "9e7ba071-8750-451b-bc4f-e4d39d28225f", "name": "Trend Micro Cloud One Low Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a low severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "2fe195a8-bf16-4905-8cc3-74f2e8b80c76", "name": "HarfangLab EDR Process Execution Blocked (HL-AI engine)", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR's machine learning malware detection module (HL-AI) has detected a suspicious binary and blocked its execution. To know more on what caused this alert, you should check the value of the process name and the concerned computer and user.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7fdc2381-22d2-43ae-aa22-6a0e6a8abfef", "name": "Broadcom/Symantec Endpoint Security Event Quarantined", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had a quarantined action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "059af0aa-b61b-4645-8b13-816cfcd7521e", "name": "Varonis Data Security Email High Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Varonis Data Security has raised a high severity alert related to a supervised email account.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "8f9a8f4b-68d4-4a7a-847e-5e51de764a1f", "name": "Gatewatcher AionIQ Malware Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Forward malware information reported by Gatewatcher AionIQ  ", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ v102"]}, {"uuid": "3e36a6e5-1859-48f9-8179-68449f0ea106", "name": "SentinelOne EDR Threat Mitigation Report Quarantine Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected and quarantined a threat with success, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "def4d95c-e759-4621-8faa-fadc17eddef2", "name": "SentinelOne EDR Agent Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has been disabled according to SentinelOne logs.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "3086c43f-4987-4fdd-8f4e-f93a4e2d7396", "name": "Suricata Attempted Administrator Privilege Gain High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Attempted Administrator Privilege Gain category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "98ad956d-3f52-4ad0-9396-c7750bd63941", "name": "CrowdStrike Falcon Intrusion Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with high severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "257a26ef-dfc9-42ef-9841-f12705503601", "name": "Lacework Cloud Security Critical Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a critical alert severity is raised by Lacework. This severity level might indicates a suspicious change in configuration or policy violation.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "ee37d914-3e81-4f84-b59f-22e1d156e68e", "name": "Gatewatcher AionIQ V103 Beacon Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a suspicious beacon.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "d667150d-0358-46ea-8db7-467f35a513f6", "name": "Microsoft Defender XDR Entra ID Protection Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Entra ID Protection. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "3a9ff07f-1403-4545-b68c-1f226621388c", "name": "Vectra General Threat Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Vectra Cognito detected a potential threat. This is a very generic rule to raise as much alerts as possible from Vectra detections however RECONNAISSANCE and INFO categories have been removed to avoid spamming.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Vectra Cognito Detect"]}, {"uuid": "4f9e2094-1b5e-44b5-a6db-298d19f8d957", "name": "CrowdStrike Falcon Identity Protection Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with critical severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "155bac75-4179-46a1-81f1-3a9e2931411c", "name": "Microsoft Defender XDR Cloud App Security Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Cloud App Security. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "49655b5c-56a9-43b2-8133-71a8bcf4686e", "name": "Varonis Data Security Intrusion Detection High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a high severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "009f3bcb-eb04-4082-b672-c7fdcf776156", "name": "Trend Micro Cloud One Medium Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a medium severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "9470d781-37eb-49f7-b994-e8cabed86c8e", "name": "AWS GuardDuty Medium Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a medium severity level. A Medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "63c88c6a-3370-400c-9699-43d1ae03746b", "name": "Trend Micro Vision One Workbench Critical Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a critical alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "c52c8a90-0975-4549-8e24-85a68f98c29d", "name": "Gatewatcher AionIQ V103 Retrohunt", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a retrohunt event is raised by GatewatcherV103.", "attack": ["reconnaissance - Phishing for Information (T1598)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "98d8af8f-4d43-4fbc-b665-afd3e26f03f4", "name": "Gatewatcher AionIQ V103 Ransomware Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a ransomware is detected by gatewatcherV103.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "48a2682f-b224-410f-b9a5-dd68a7ea0e9b", "name": "SentinelOne EDR Threat Mitigation Report Quarantine Failed", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has failed to quarantine a threat, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "668589c8-594c-4c22-a6ab-6700b73c19f1", "name": "Cybereason EDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Cybereason EDR telemetry has raised an alert", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Cybereason EDR"]}, {"uuid": "2e3e20b0-0f19-4536-9df2-6e89cb96bf91", "name": "Sophos EDR Application Detected", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially malicious application.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "d4c4bda6-ebac-4bc1-8f32-fd645f224921", "name": "Lacework Cloud Security Low Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a low alert severity is raised by Lacework. This severity level might indicates a change in configuration that could be malicious or not.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "5b0285b5-9a11-404f-b949-5eb2a338151a", "name": "CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with critical severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "44ed63ea-827e-436c-82b4-d63c9abda5cd", "name": "Microsoft Defender XDR Endpoint Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Defender for Endpoint. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "2080b31b-f7cf-4904-ad1e-9f135e3fc533", "name": "Gatewatcher AionIQ V103 Dga Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when an event related to dga is raised by gatewatcher. An attacker can use this to generate a new domain for C2.", "attack": ["command-and-control - Domain Generation Algorithms (T1568.002)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "0b42a6f3-df0c-436e-9dc0-5e9f01c18076", "name": "Alert High Severity Sesame it Jizo NDR", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert raised by SesameIT.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Jizo AI / Sesame it NDR"]}, {"uuid": "c2230143-391a-40d8-95f8-a96e3d6d5eb6", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of high severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "db3bdb5e-f409-4190-8b8c-6a0a9e1ee2f2", "name": "SentinelOne EDR Threat Detected (Malicious)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a high confidence level (malicious).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "155e8e09-6a0f-496c-9e8f-5943a1a81f17", "name": "Fastly Next-Gen WAF Audit Threat Alert", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Forward a threat detection made by Fastly Next-Gen WAF Audit Logs", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Fastly Next-Gen WAF Audit Logs"]}, {"uuid": "04874680-3e68-48f8-83a0-28bcb7b970e2", "name": "CrowdStrike Falcon Identity Protection Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with low severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "a0056b11-b266-4788-a5b8-fedb83211d7b", "name": "HarfangLab EDR Medium Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a medium level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "27792193-4d81-4780-8a4f-51dc32d9e88a", "name": "Microsoft Defender XDR Data Loss Prevention Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Data Loss Prevention. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "cc263302-7773-46dc-b4ee-e493e5fb6cae", "name": "Gatewatcher AionIQ V103 Active CTI", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects whan an event related to CTI is raised by Gatewatcher V103. An attacker may be gathering information with this event.", "attack": ["reconnaissance - Phishing for Information (T1598)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "438c4d73-45fd-43e6-94c7-1f3f9e6935df", "name": "Netskope Alerts Compliance", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Forward alerts reported by Netskope related to compliance issues.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Netskope"]}, {"uuid": "1ac11e22-50e8-49c0-8b9e-bb3de89c1e65", "name": "CrowdStrike Falcon Intrusion Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "60a4ed42-3569-4be1-919a-5d3fb2a9b2d1", "name": "SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a malicious threat which has been mitigated preemptively, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "70bccd47-1a34-4f9d-9929-8efdc0dbc7ce", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of medium severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "9fd6d5bf-b0e1-456e-aa1e-c1b6e8779255", "name": "Trend Micro Apex One Malware Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Trend Micro Apex One has detected a malware.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "2ac96bd4-0614-4096-9f77-38657028c860", "name": "HarfangLab EDR High Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a high level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2a9eebe9-d9cd-4d45-be1c-30b273d0e0fb", "name": "CrowdStrike Falcon Mobile Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with informational severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "5ffe9ddd-6a9c-4eec-b379-cc59ce5d3987", "name": "Gatewatcher AionIQ V103 Malcore", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a malcore alert by Gatewatcher AionIQ V103 related to documents with passwords.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "a6488637-6c14-457f-bef7-5af5174d513d", "name": "Microsoft Defender XDR Office 365 Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR for Office 365 has raised an alert. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "3759e6d8-5aab-4091-aeda-4a92fe88d23d", "name": "Proofpoint TAP Email Classified As Spam But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as spam with a threat score greater than 50 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "9c122008-6d54-4242-8ada-484d534399f3", "name": "SentinelOne EDR User Logged In To The Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has logged in to the management console.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "96df58e3-2292-4404-bb81-628a4e2e6964", "name": "Broadcom/Symantec Endpoint Security Event Cleaned", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had cleaned action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "fb1ac826-4fe5-44bc-a007-a6b7dd83c955", "name": "HarfangLab EDR Medium Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a medium level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b58128b0-c3d5-4c6b-8e66-0f19c8e71980", "name": "Sophos EDR CorePUA Clean", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially unwanted application and cleaned it.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "752fd068-7373-4c6a-a0fd-37ecdbf11b26", "name": "Cron Files Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. To ensure full performance on this rule, `auditbeat` intake must be configure with the module `file_integrity` containing path mentionned in the pattern.", "attack": ["privilege-escalation - Cron (T1053.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Netskope", "VMware ESXi", "Juniper NGFW", "BeyondTrust Privileged Remote Access Session", "IBM iSeries", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "Tanium", "ManageEngine ADAudit Plus", "NucleonEDR", "HarfangLab EDR", "Palo Alto Cortex XDR (EDR)", "Elastic Winlogbeat"]}, {"uuid": "af72d787-7c5e-4592-b644-85897c5fc125", "name": "Generic-reverse-shell-oneliner", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipement or for a sack of simplicity attackers can open raw reverse shell using shell commands", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "24ec3da6-0ba4-4c68-9aff-838899a18890", "name": "Fail2ban Unban IP", "effort": "advanced", "data_sources": ["Process monitoring"], "description": "An IP was ubaned by Fail2ban. It could be use to allow malicous traffic.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0759097a-dc56-47c6-97fc-397caeff2fa4", "name": "Correlation Linux Decode And Exec", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "A Base64 string has been decoded and executed through a pipe. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "8a4b8e98-1585-4b3a-b240-e9b4ae285621", "name": "Linux Capabilities Discovery", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0). This rule aims to detect discovery of such capabilities on the Linux system. The prerequisites are to enable monitoring of the execve and getxattr syscalls using Auditbeat.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": []}, {"uuid": "47afc02c-9d59-4f31-a12b-5e70082b082b", "name": "Unusual Process Executed in Temporary Directory", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": []}, {"uuid": "304ce000-e43c-4865-8dff-1f9c7a654180", "name": "Linux Suspicious Auto-start Desktop Shortcut Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "This detection rule identifies a suspicious process start from an graphical env process which may indicate the use of a malicious .desktop shortcut.", "attack": ["privilege-escalation - XDG Autostart Entries (T1547.013)"], "intake-formats": ["Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a2315508-0dd5-4f92-98d1-2c57c29966da", "name": "Docker Escape Bind Mount", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Catch Docker escape via mount escape followed by chroot ", "attack": ["execution - Deploy Container (T1610)", "privilege-escalation - Escape to Host (T1611)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c7a68bf0-4b56-4491-8553-2e34741fc342", "name": "Write To File In Sudoers.d Folder", "effort": "advanced", "data_sources": ["File monitoring"], "description": "A user tried to write something to a file in /etc/sudoers.d. It can be used to elevate privilege related to sudo and make it persistent. The prerequisites are to enable monitoring of the openat syscall using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)"], "intake-formats": []}, {"uuid": "f4dea50f-07fc-4c86-8c47-b4d37410023b", "name": "Socat Relaying Socket", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3819ae60-d5c6-4aef-abc4-0048e75972fa", "name": "SSH Reverse Socks", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects the usage of the -R option combined with StrictHostKeyChecking, which is an indication of using SSH for reverse socks.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "7cb3f329-8d12-4065-8dd1-fdb91da7eecf", "name": "Linux Suspicious Search", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Adversaries may search for private key on compromised systems", "attack": ["credential-access - Private Keys (T1552.004)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1dc747ed-206a-4e1f-b284-70e5973e61ee", "name": "Certificate Authority Modification", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.", "attack": ["defense-impairment - Install Root Certificate (T1553.004)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "Windows Log Insight", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "747480aa-cb37-486a-a035-d2884c2ee625", "name": "Network Sniffing", "effort": "advanced", "data_sources": ["Host network interface", "Process command-line parameters", "Process monitoring"], "description": "List of common tools used for network packages sniffing", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "fd627ef0-74e9-4c3d-8200-fcbb6fef42e0", "name": "Linux Bash Reverse Shell", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipement or for a sack of simplicity attackers can open raw reverse shell using shell commands", "attack": ["execution - Unix Shell (T1059.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "aa00ca83-b6b4-417a-9c06-a5ae5b71fa0d", "name": "Main Memory Dumping", "effort": "advanced", "data_sources": ["File monitoring"], "description": "Attacker might want to leverage their permission on the system or steal authentication tokens to third parties software, website, etc. To do so, attacker might try to dump main memory of computer. The prerequisites are to enable monitoring of the openat and open syscalls using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)", "credential-access - Proc Filesystem (T1003.007)"], "intake-formats": []}, {"uuid": "d43e2999-aa7e-45e2-a13a-0f35fcc92b4c", "name": "Interactive Terminal Spawned via Python", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8df30f04-6124-43c7-929b-656504ee64d0", "name": "Process Anti Debug Checking", "effort": "master", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Entries in /proc/self/status are used by malware to checks if current process is being debug. The prerequisites are to enable monitoring of the openat, openat2, open and open_by_handle_at syscalls using Auditbeat.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": []}, {"uuid": "6f1b77fa-1d21-4084-b192-bd0405b57e03", "name": "Python Offensive Tools and Packages", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Track installation and usage of offensive python packages and project that are used for lateral movement.", "attack": ["execution - Python (T1059.006)"], "intake-formats": ["Juniper NGFW", "Microsoft Defender XDR / Microsoft 365 Defender", "Barracuda CloudGen Firewall", "Elastic AuditBeat Linux", "VMware vCenter", "IBM AIX", "SentinelOne Cloud Funnel 2.0", "Tanium", "Forcepoint Next-Generation Firewall", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "WithSecure Elements", "Palo Alto Cortex XDR (EDR)", "Stormshield SNS", "Elastic Winlogbeat"]}, {"uuid": "46c83294-5147-4531-b0fd-f29bae39e1de", "name": "File and Directory Permissions Modification", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detects the use of chmod to give high level permissions to file that might be binary files. The prerequisites are to enable monitoring of the fchmodat, chmod and fchmod syscalls using Auditbeat.", "attack": ["defense-impairment - Linux and Mac Permissions (T1222.002)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "a301e3fb-f26c-4879-a3e7-742295266421", "name": "SSH Tunnel Traffic", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user creates and uses a SSH tunnel in Linux, the sshd process opens sockets to communicate with other machines or ports. With SSH tunneling, the SSH server can be used as a getaway to access internal systems. The traffic will seem to be coming from the SSH server whereas it only acts as a relay for an attacker. By using this technique, an attacker can successfully bypass external firewall rules and gain foothold to your network, allowing him to scan,hunt and attack your internal systems. This rule includes a filter on port 22, this filter is created to avoid false positive when a user is connecting via ssh. If you do not use port 22 for your machines, please create an alert filter.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "18b9f844-78cd-4234-8885-1ab32a456163", "name": "Process Trace Alteration", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "PTrace syscall provides a means by which one process (\"tracer\") may observe and control the execution of another process (\"tracee\") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.", "attack": ["credential-access - Proc Filesystem (T1003.007)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "F5 BIG-IP", "CrowdStrike Falcon", "SonicWall Firewall", "NeroSwarm Honeypot", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix Network Security", "CyberArk Audit Logs", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "Netskope", "OCSF", "SentinelOne EDR", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "482eaecc-7d67-4d75-b2ec-9db7406e8443", "name": "SSH Authorized Key Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.", "attack": ["privilege-escalation - SSH Authorized Keys (T1098.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Netskope", "VMware ESXi", "Juniper NGFW", "BeyondTrust Privileged Remote Access Session", "IBM iSeries", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "Tanium", "ManageEngine ADAudit Plus", "NucleonEDR", "HarfangLab EDR", "Palo Alto Cortex XDR (EDR)", "Elastic Winlogbeat"]}, {"uuid": "221ccb62-3ee7-4ed1-9297-713e620e8388", "name": "Dynamic Linker Hijacking From Environment Variable", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation.", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c31a6fcb-39f4-44b2-95e8-ebddf9ffcec1", "name": "Linux Masquerading Space After Name", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "This detection rule identifies a process created from an executable with a space appended to the end of the name.", "attack": ["stealth - Space after Filename (T1036.006)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore On-Prem [BETA]", "Systancia Cleanroom", "Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "Stormshield SES", "ESET Protect", "Google Kubernetes Engine", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Kaspersky Endpoint Security", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "131d52bd-ada7-4f45-b640-b6d223368c2d", "name": "System Info Discovery", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "System info discovery, attempt to detects basic command use to fingerprint a host.", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "34a2840f-814c-41c7-b39c-b40c0e0625f2", "name": "Add User to Privileged Group", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process command-line parameters", "Process monitoring"], "description": "Add user in a potential privileged group which can be used to elevate privileges on the system.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4c61a2b5-4ae5-4c5b-a674-32e2feb7f44e", "name": "Listing Systemd Environment", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "93f62e0e-d8eb-4b2b-b80d-5ea92b1b9f68", "name": "Correlation Netcat Infection Chain", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detect netcat connection to download et execute payload via piped bash", "attack": ["execution - Unix Shell (T1059.004)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "1a0242df-3b77-4ae2-a1e5-78dd7ad8390c", "name": "SSH Port Binding", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user uses SSH tunneling in Linux, the sshd process binds sockets to communicate with the client machine via a ssh tunnel. With SSH tunneling, the SSH server can be used as a getaway to access internal systems. The traffic will seem to be coming from the SSH server whereas it only acts as a relay for an attacker. By using this technique, an attacker can successfully bypass external firewall rules. This rule is the most basic one (compared to the other one - SSH Tunnel), however it can detect the -D option in the ssh command if the machine is the client. This rule will detect the port binding (port 6010) when X11 forwarding is used. It will detect -R (server side), -D (client side) -X (server side), -Y (server side) and -L (client side) port binding.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": []}, {"uuid": "2fd41964-b588-4ab7-adba-e9b08c6dba92", "name": "Remote File Copy", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the use of remote tools that copy files from or to remote systems", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "b9613c8e-34a9-4883-8a97-a73950c7a499", "name": "Linux Fileless Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Process image resolved to memfd syscall. Could be used by adversaries to hide malware", "attack": ["stealth - Reflective Code Loading (T1620)"], "intake-formats": ["Elastic AuditBeat Linux"]}, {"uuid": "db994091-8b28-45f5-a66b-90c06f5fa7a6", "name": "Container Credential Access", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token", "attack": ["credential-access - Container API (T1552.007)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4cc5bc62-6585-4034-bb52-6e677d72d648", "name": "Landlock Denied Access", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Landlock LSM (Linux Security Module), has denied an access requests. This is logged by default for a program compiled with Landlock since Linux kernel 6.15.", "attack": ["defense-impairment - Subvert Trust Controls (T1553)"], "intake-formats": []}, {"uuid": "2284d3f4-22e2-4744-954d-3d26bb0fae68", "name": "Package Manager Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Package manager (eg: apt, yum) can be altered to install malicious software. To ensure full performance on this rule, `auditbeat` intake must be configure with the module `file_integrity` containing path mentionned in the pattern.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Netskope", "VMware ESXi", "Juniper NGFW", "BeyondTrust Privileged Remote Access Session", "IBM iSeries", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "Tanium", "ManageEngine ADAudit Plus", "NucleonEDR", "HarfangLab EDR", "Palo Alto Cortex XDR (EDR)", "Elastic Winlogbeat"]}, {"uuid": "4595f98d-9464-45d8-9b2d-98ac50d35875", "name": "Shell PID Injection", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when shells PID are listed and injected in another process. It can be performed to reuse sudo token related to shell in order to elevate privilege and maintain persistence.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)", "persistence - Authentication Package (T1131)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)", "discovery - Account Discovery (T1087)", "discovery - Remote System Discovery (T1018)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "a3b6b2cc-2750-443e-92e8-878bfa7828fc", "name": "Kernel Module Alteration", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. The prerequisites are to enable monitoring of the finit_module, init_module, delete_module syscalls using Auditbeat.", "attack": ["privilege-escalation - Kernel Modules and Extensions (T1547.006)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f40077d3-0f9e-4cca-9ed6-40d20dd4d7a9", "name": "Setuid Or Setgid Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the usage of a setuid or a setgid. The prerequisites are to enable monitoring of the setuid and setgid syscalls using Auditbeat.", "attack": ["privilege-escalation - Setuid and Setgid (T1548.001)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "5956caeb-3bd8-42f9-9def-e7967764b574", "name": "SELinux Disabling", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "An attacker can disable SELinux to make workstation or server compromise easier as it disables several protections.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Microsoft Defender XDR / Microsoft 365 Defender", "IBM AIX", "Crowdstrike Falcon Telemetry", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Elastic Winlogbeat"]}, {"uuid": "7811968a-dda4-4bc7-b5cf-20b7fca2454d", "name": "Linux Suspicious Nohup Exec", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects suspicious usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", "attack": ["stealth - Ignore Process Interrupts (T1564.011)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3d4556e7-1d00-4fcf-9093-a9430f2e40be", "name": "Socat Reverse Shell Detection", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Socat is a linux tool used to relay or open reverse shell that is often used by attacker to bypass security equipment.", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c29c6591-54ff-433b-afc7-dacde0f75246", "name": "CVE 2022-1292", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.", "attack": ["stealth - Indirect Command Execution (T1202)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "WithSecure Elements", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "27c754fe-f46a-441b-b8c7-336e0a961ff6", "name": "Binary List Tcp", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring"], "description": "A binary is trying to list TCP connections. The prerequisites are to enable monitoring of the open and openat syscalls using Auditbeat.", "attack": ["command-and-control - Port Knocking (T1205.001)"], "intake-formats": []}, {"uuid": "628013a2-4262-495f-850d-9a46f0bf8f80", "name": "CVE-2021-4034 Polkit's pkexec", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detection of Polkit's pkexec exploit", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Microsoft Defender XDR / Microsoft 365 Defender", "IBM AIX", "Crowdstrike Falcon Telemetry", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Elastic Winlogbeat"]}, {"uuid": "fb940389-cb8c-41cc-9db2-6bf39d3bf551", "name": "SSH X11 Forwarding", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user creates and uses SSH X11 Forwarding in Linux, the sshd process opens sockets to communicate with the client machine via a ssh tunnel. X11 forwarding is used to deport graphic programs on the client side.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "a93fcd3e-4c16-4ef7-b5d8-d642770915be", "name": "Raw Reverse Shell", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipment or for a sack of simplicity attackers can open raw reverse shell using sh and or bash commands", "attack": ["execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "b9facd50-b316-4e4a-b3d7-57f4b3521e4e", "name": "Default User www data User Compromised", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "User www_data by default cannot log and use a shell, any syscall of type execve induce user compromise", "attack": ["persistence - Web Shell (T1505.003)", "execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "d4afadc0-9754-4f13-87a0-2a7f24a94d37", "name": "Network Scanning and Discovery", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Tools and command lines used for network discovery from current system", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4688c4db-afb3-4547-b92d-9ed78053653d", "name": "Linux Remove Immutable Attribute", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Adversaries may used chattr utility to alter file and folder attributes to control sudden operations like the deletion and modification of files.", "attack": ["defense-impairment - Linux and Mac Permissions (T1222.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cc991200-e911-4780-b2c0-d2e21179b5fb", "name": "Linux Binary Masquerading", "effort": "elementary", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Attackers could rename legitimate system bin to evade security mechanisme. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Elastic AuditBeat Linux"]}, {"uuid": "9d71726f-0f5a-4b03-8712-6f5465aa22e9", "name": "Python Exfiltration Tools", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Python has some built-in modules or library that could be installed and later be used as exflitration tool by an attacker", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c8bf9268-1c55-4bdd-a9da-7d19e3237300", "name": "Many Downloads From Several Binaries", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Threat Actors might use all the binaries to download the payload to make sure at least one is present on the target. The prerequisites are to enable monitoring of the connect syscall using Auditbeat.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "87cd36b2-afe4-4d79-ae0f-d06e7f2e5175", "name": "Erase Shell History", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Malware and attacker try to reduce their fingerprints on compromised host by deleting shell history.", "attack": ["stealth - Clear Command History (T1070.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0e156f31-8d70-47b2-ab26-7a57ca9ee907", "name": "Address Space Layout Randomization (ASLR) Alteration", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "privilege-escalation - Proc Memory (T1055.009)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "7a44a445-8532-464d-af4e-cfbf66371b28", "name": "Process Memory Dumping From proc Filesystem", "effort": "master", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Attacker might want to leverage their permission on the system or steal authentication to third parties software, website, etc.. To do so, attacker might try to dump memory of interesting process, for instance ftp-server or web server to dig for authentication login and password. The prerequisites are to enable monitoring of the openat and open syscalls using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)", "credential-access - Proc Filesystem (T1003.007)"], "intake-formats": []}, {"uuid": "d5277ae5-c49b-455a-98d1-6780e77728fc", "name": "Linux Shared Lib Injection Via Ldso Preload", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detect ld.so.preload modification for shared lib injection, technique used by attackers to load arbitrary code into process", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos EDR", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "87e54a2b-087f-458b-99b1-30d945a32c23", "name": "Linux Ldpreload Modification", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Detect ld.so.preload modification for shared lib injection, technique used by attackers to load arbitrary code into process", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": []}, {"uuid": "744922cf-e4ee-40c8-95cc-51e999b94be5", "name": "Login Brute-Force Successful Linux", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) and succeeded to login on the linux monitored endpoint.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "5ad1fc9f-0e65-42b3-b019-735b862c86ed", "name": "Disabled Service", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Service disabling can be abused by attacker to deny security mecanisms (eg: firewall, EDR, ect) and it is also often used by cryptominer to exploit as much RAM & CPU as possible on infected host. The prerequisites are to enable monitoring of the truncate, rename and unlink syscalls using Auditbeat.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "impact - Service Stop (T1489)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Microsoft Defender XDR / Microsoft 365 Defender", "IBM AIX", "Crowdstrike Falcon Telemetry", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Elastic Winlogbeat"]}, {"uuid": "1e9de869-252f-48be-9388-0a0d5e402eb8", "name": "Write To File In Systemd", "effort": "advanced", "data_sources": ["File monitoring"], "description": "A user tried to write something to a file in /etc/systemd/system. This repository contains services that are run at start. It can be used to run a malicious programm at start with high privileges. The prerequisites are to enable monitoring of the execve openat using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)"], "intake-formats": []}, {"uuid": "4f036b22-9f50-4f1b-9995-1d65e4b9c1b8", "name": "RedMimicry Winnti Playbook Registry Manipulation", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "13a9c3fa-5a75-466b-a882-a6aed437fb53", "name": "Disabling SmartScreen Via Registry", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when a user disables smartscreen.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "0feaed11-8f2b-43e4-80d2-9578c937f9c5", "name": "Phosphorus (APT35) Exchange Discovery", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about its the environment of compromised Microsoft Exchange servers. The command is the following: Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress |  ft -hidetableheaders", "attack": ["discovery - Email Account (T1087.003)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "8eef02fe-9d04-4531-a4cb-10c4bf9c09f6", "name": "Disabled IE Security Features", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "526e0767-2259-455d-a665-84a19a8b3740", "name": "Mshta JavaScript Execution", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument.", "attack": ["stealth - Mshta (T1218.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ccfe820b-29ef-4d7b-8b83-c4cf69ce44da", "name": "PowerShell Malicious PowerShell Commandlets", "effort": "master", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks (PowerSploit...).", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "13a5b176-0087-4cd9-b909-dfce285b9357", "name": "Ngrok Process Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects possible Ngrok execution, which can be used by attacker for RDP tunneling.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "2ed7c9d1-9cf7-4107-9621-eec2f3cc79a9", "name": "PowerShell Commands Invocation", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "64637a76-8fe7-47fc-9769-81a6e5b2ac52", "name": "Correlation Post Exploitation Patterns Via Winrm", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "This rule detects a sequence of post exploitation commands (e.g., whoami, net, ipconfig) executed via WinRM on host within a short timeframe", "attack": ["stealth - Clear Mailbox Data (T1070.008)"], "intake-formats": ["ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "23153907-a43c-4c66-aa9c-881734674ef7", "name": "Admin User RDP Remote Logon", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects remote login through Remote Desktop Protocol (RDP) by Administrator user depending on internal pattern. Check before activation the identifiable administrators usernames (pattern or special unique character (\"Admin*\") to adapt and add some filtering.", "attack": ["initial-access - Valid Accounts (T1078)", "initial-access - Default Accounts (T1078.001)", "initial-access - Domain Accounts (T1078.002)", "initial-access - Local Accounts (T1078.003)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "9813039c-83c2-4083-851e-bcb57cf7cc5d", "name": "Computer Account Deleted", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects computer account deletion.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8bc6933a-deee-40f1-9272-3fac9a3015ec", "name": "RDP Configuration File From Mail Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Windows event logs", "File monitoring"], "description": "Detects RDP configuration file being created or executed by a Mail-related process like Outlook. RDP configuration file will allow, when opened, an user to connect to the configured server easily. Attackers use this to trick victims in order to get a shared drive and potentially retrieve the data from that drive, but also drop a malicious file on the drive to establish persistence. Using RDP can also expose the victim's credential and clipboard data on some cases.", "attack": ["collection - Data from Network Shared Drive (T1039)", "initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Cisco Secure Firewall", "CrowdStrike Falcon", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Microsoft 365 / Office 365", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7139bc94-eded-473b-ba8c-35f9e2fc802a", "name": "DPAPI Domain Backup Key Extraction", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "attack": ["credential-access - LSA Secrets (T1003.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "36b02718-9fa7-4f68-a56e-b0a8cd364508", "name": "Tactical RMM Installation", "effort": "elementary", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detection of common Tactical RMM installation arguments that could be abused by some attackers.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "Stormshield SES", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5cf28b01-adeb-4468-936c-28494f8ec5aa", "name": "New Or Renamed User Account With '$' In Attribute 'SamAccountName'", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "353ba22f-f99a-4a77-a7e6-7bde6b0c3a51", "name": "Phorpiex DriveMgr Command", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores \"__\" and the PE name \"DriveMgr.exe\".", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8c0b66bf-566c-4e75-b530-ac9792613020", "name": "Powershell UploadString Function", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "81d924d0-c96f-4fa3-b7a1-4e9d5098a668", "name": "Formbook Hijacked Process Command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects process hijacked by Formbook malware which executes specific commands to delete the dropper or copy browser credentials to the database before sending them to the C2.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "5b92ffea-77ca-4234-9318-0465d975dde7", "name": "Netsh Program Allowed With Suspicious Location", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects Netsh commands that allow a suspcious application location on Windows Firewall, seen on kasidet worm. Last part of the existing rule (commandline startwith) was not added to this rule because it is not relevant.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "WithSecure Elements", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "a8a0e7b8-6101-454f-82d2-3bc7464b7196", "name": "BITSAdmin Download", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system.", "attack": ["execution - BITS Jobs (T1197)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "2ed238bb-57d9-45df-b6b2-f398b9eea7a0", "name": "Execution From Suspicious Folder", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a suspicious execution from an uncommon folder", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e6301dd8-a196-472a-b0c6-474f719a2828", "name": "Winrshost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Winrshosts process was executed by a non-legitimate parent process The winrshost.exe is a Host Process for WinRM's Remote Shell plugin.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "CrowdStrike Falcon", "HarfangLab EDR", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "862606db-11b4-4cf2-b65d-0ead209ee71f", "name": "New Service Creation", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects creation of a new service from command line", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8a2859e8-4c76-11ec-a920-167732585753", "name": "Process Memory Dump Using Comsvcs", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of comsvcs in command line to dump a specific process memory. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "779ed27f-d7e2-446e-8283-91ced486c8a6", "name": "Discovery Commands Correlation", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects some frequent discovery commands used by some ransomware operators.", "attack": ["discovery - Domain Account (T1087.002)", "discovery - System Information Discovery (T1082)", "discovery - System Network Connections Discovery (T1049)", "discovery - System Network Configuration Discovery (T1016)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Cisco IOS router and switch", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Jumpcloud Directory Insights"]}, {"uuid": "4bf49bb8-3d53-4580-ad21-ad09aece217c", "name": "Anomaly New PowerShell Remote Session", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when PowerShell remote sessions are created in a short amount of time.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": []}, {"uuid": "1b3a2111-47e2-4fa7-bd7f-b92c5de1e58f", "name": "High Privileges Network Share Removal", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects high privileges shares being deleted with the net share command.", "attack": ["stealth - Network Share Connection Removal (T1070.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "16b0ac29-35b0-4289-9aab-9a50aaf4433b", "name": "Suspicious VBS Execution Parameter", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects suspicious VBS file execution with a specific parameter by cscript. It was observed in the Operation CloudHopper.", "attack": ["execution - Scripting (T1064)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e53002a2-3df4-489c-9b98-ded5fe067c22", "name": "WMI DLL Loaded Via Office", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects Windows Management Instrumentation (WMI) DLL loaded via Office process. This activity may correspond to VBA macro executing WMI commands, which is highly suspicious. The prerequisite is to log Loaded DLLs images, which can be done with the Sysmon Event ID 7 (DLL image loaded by process).", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "77b352ba-69c7-4351-8572-405015936fd1", "name": "Wsmprovhost Wrong Parent", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects if the Wsmprovhost process was executed by a non-legitimate parent process. The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM).", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "8e1414e4-4133-4a49-867b-a8e513f737c7", "name": "Capture a network trace with netsh.exe", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects capture a network trace via netsh.exe trace functionality", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "013c2feb-a7c6-49e8-bde2-c8d084bc37e3", "name": "Powershell Winlogon Helper DLL", "effort": "master", "data_sources": ["PowerShell logs", "Windows event logs", "Windows Registry"], "description": "Detects modifications to the Winlogon Registry keys, which may cause Winlogon to load and execute malicious DLLs and/or executables.", "attack": ["privilege-escalation - Winlogon Helper DLL (T1547.004)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "4b3cc041-788c-44c1-8b2a-3b4037155e6e", "name": "Disable Task Manager Through Registry Key", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "565e0925-782d-497a-bc84-89eda2f8e7b0", "name": "Successful Brute Force Login From Internet", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects a spike of failed login followed by a success one from Internet for a given source and target", "attack": ["credential-access - Brute Force (T1110)", "stealth - Indirect Command Execution (T1202)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "a9070565-2ee0-456c-b235-34c52f30d89a", "name": "Suspicious File Name", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects suspicious file name possibly linked to malicious tool.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Mimecast Email Security", "VMware ESXi", "Google Workspace / ChromeOS", "Cato Networks SASE", "Trellix Network Security", "CyberArk Audit Logs", "Cisco Secure Web Appliance", "Trellix Advanced Threat Defense", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Proofpoint PoD", "BeyondTrust Privileged Remote Access Session", "Gatewatcher AionIQ V103", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Fortinet FortiMail", "One Identity SPS", "Sophos Analysis Threat Center", "CyberArk Digital Vault", "Tanium", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Fortinet FortiProxy", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "IBM iSeries", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e9a9ca55-4a47-4c61-b57e-3ba5682a1e17", "name": "Wmic Suspicious Commands", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects suspicious commands used by the process wmic to get informations on the system.", "attack": ["reconnaissance - Gather Victim Host Information (T1592)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "0687aa4a-474b-48fe-9c64-743bd5507047", "name": "AD User Enumeration", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects access to a domain user from a non-machine account. This requires Windows Security Event ID 4662 and could be triggered by some administrators configuring new users.", "attack": ["discovery - Account Discovery (T1087)", "discovery - Domain Account (T1087.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "262044e8-0b54-4ff9-b14b-1ae5e83f69ea", "name": "Component Object Model Hijacking", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects component object model hijacking. An attacker can establish persistence with COM objects.", "attack": ["persistence - Component Object Model Hijacking (T1546.015)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ed5546ae-8663-11eb-8dcd-0242ac130003", "name": "Data Compressed With Rar", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c5da12e5-a97d-4ac6-9821-d49126e562c7", "name": "Powershell Suspicious Startup Shortcut Persistence", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Detects Powershell writing Startup shortcuts for persistence.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Windows", "SentinelOne EDR", "Elastic Winlogbeat"]}, {"uuid": "0601247b-8773-4b52-9d8c-6d14a46b6323", "name": "Smss Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Smss process was executed by a non-legitimate parent process. Session Manager Subsystem (smss) process is a component of the Microsoft Windows NT family of operating systems.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "420db69e-4279-4a54-a2ed-42de6244f276", "name": "Invoke-TheHash Commandlets", "effort": "elementary", "data_sources": ["Process command-line parameters", "PowerShell logs", "Windows event logs"], "description": "Detects suspicious Invoke-TheHash PowerShell commandlet used for performing pass the hash WMI and SMB tasks.", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "916509f0-5ee0-4f07-91a4-cf5c43c70357", "name": "Correlation Supicious Powershell Drop and Exec", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network"], "description": "Detects a PowerShell process that download and exec a payload", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "CrowdStrike Falcon", "VMware ESXi", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "Barracuda CloudGen Firewall", "SentinelOne Cloud Funnel 2.0", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows"]}, {"uuid": "7bff7f0a-c24a-4c56-a197-0574a9880a1a", "name": "SOCKS Tunneling Tool", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. ", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e7300375-9ff7-4cd7-8a75-2a7a5a4ab95e", "name": "WiFi Credentials Harvesting Using Netsh", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the harvesting of WiFi credentials using netsh.exe.", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "eba9c01a-b88f-47af-b642-0a46fc849e4e", "name": "FlowCloud Malware", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects FlowCloud malware from threat group TA410. This requires Windows Event registry logging.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "79ccc4f7-b22c-4c9e-8cd2-3e6d382fed1a", "name": "PowerShell Invoke Expression With Registry", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "PowerShell logs", "Windows event logs"], "description": "Detects keywords from well-known PowerShell techniques to get registry key values", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3bb10488-630f-472d-8ac0-fe9b9e361df7", "name": "QakBot Process Creation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects QakBot like process executions", "attack": ["execution - Visual Basic (T1059.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1019a802-2bad-4a1f-b9e1-daaac938b8ae", "name": "DNS Server Error Failed Loading The ServerLevelPluginDLL", "effort": "master", "data_sources": ["Windows event logs"], "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded. This requires the dedicated Windows event provider Microsoft-Windows-DNS-Server-Service.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "1166f801-5442-461d-a788-4dc32ece6d10", "name": "Lazarus Loaders", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects different loaders used by the Lazarus Group APT", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f7be969d-eb10-43f5-a5d3-0bae05c0e0c6", "name": "Correlation Admin Files Checked On Network Share", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects requests to multiple admin files on a network share. This could be an attacker performing reconnaissance steps on the system.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["Palo Alto Prisma access", "Sophos EDR", "IBM AIX", "SonicWall Firewall", "NeroSwarm Honeypot", "NucleonEDR", "BeyondTrust Privileged Remote Access Session", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "Cybereason EDR activity", "Palo Alto NGFW", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows"]}, {"uuid": "340505b2-95dd-43fa-9bca-aac21b41df1d", "name": "Netsh Port Forwarding", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)", "command-and-control - Protocol Tunneling (T1572)", "command-and-control - Internal Proxy (T1090.001)", "exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9cafb059-31f6-42fe-ad29-bd65c7e35aa3", "name": "DLL Load via LSASS Registry Key", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key. Prerequisites are logging for Registry events. This can be done with Sysmon events 12, 13 and 14 and monitor `SYSTEM\\CurrentControlSet\\Services`.", "attack": ["privilege-escalation - LSASS Driver (T1547.008)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "9ccf98d7-1100-417d-a71f-3a4a222cbd22", "name": "Active Directory Delegate To KRBTGT Service", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects potential persistence installation from an already compromised administrator domain account. The attacker will create a TGT and abuse a service account with the constrained delegation and update it with the krbtgt service. The detection relies on the Event ID 4738.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bf9ea197-b5b3-4335-bd78-2d6e7abf9d58", "name": "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects changes of preferences for Windows Defender through command line or PowerShell scripts. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d26e23cb-cf9b-4791-aefc-dff3d3dd5745", "name": "Suspicious Windows ANONYMOUS LOGON Local Account Created", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as a covering detection for attackers trying to created an ANONYMOUS LOGON account as it is an account named used in internal Windows events and frequently filtered by attackers.", "attack": ["persistence - Local Account (T1136.001)", "persistence - Domain Account (T1136.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e8656dd6-c264-4135-a10f-c3dba4a9f8de", "name": "Malware Outbreak", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus", "File monitoring"], "description": "Spots a peak of malware detection by windows defender on this perimeter.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "9ab7df82-9116-4899-913d-0af602aa1085", "name": "LanManServer Registry Modify", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when the LanManServer registry sub-key MaxMpxCt is modified. An attacker can modified this value to increase the maximum number of outstanding client requests supported. ", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "b98f6724-3bb7-431a-a7f7-286df129460d", "name": "Mshta Command From A Scheduled Task", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects when an attacker leverage the Microsoft Windows Scheduled task feature to run the mshta.exe process. This is a common usage of a living-off-the-land binary, frequently abused for malicous purposes and not common nowadays in IT administration.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "49bd18a6-a90f-4f34-9a7b-fab9e26fed68", "name": "Audio Capture via PowerShell", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "PowerShell logs"], "description": "Detects audio capture via PowerShell Cmdlet", "attack": ["collection - Audio Capture (T1123)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "50aff47a-e906-4825-a9ac-6205e378225b", "name": "DHCP Server Error Failed Loading the CallOut DLL", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "df27455e-5eed-4c88-92d6-7de7e4e75985", "name": "AD Object WriteDAC Access", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects WRITE_DAC access to a domain object. This requires Windows Event ID 4662.", "attack": ["defense-impairment - File and Directory Permissions Modification (T1222)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "22c4d903-79f0-409a-bd34-9b3ae89b303c", "name": "Cmdkey Cached Credentials Recon", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects usage of cmdkey to look for cached credentials.", "attack": ["credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "99b20dcd-c8db-42c7-b00c-a933c580e70a", "name": "Exfiltration Domain In Command Line", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects commands containing a domain linked to http exfiltration.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "563c7c7a-4c54-44de-a081-8cf99c1d2103", "name": "Microsoft Defender Antivirus Disable Scheduled Tasks", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender scheduled tasks via command line or PowerShell scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "40b4f324-5ddf-4d22-8bb2-917c1502daaa", "name": "Microsoft Defender Antivirus Disable Using Registry", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line or PowerShell scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "188ed422-2740-4527-af39-b7cbcefe4adc", "name": "PowerView commandlets 2", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.", "attack": ["discovery - System Service Discovery (T1007)", "discovery - Remote System Discovery (T1018)", "discovery - Account Discovery (T1087)", "discovery - Network Share Discovery (T1135)", "discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ed05a92f-8400-4132-821b-411ab5dd2cb0", "name": "Admin Share Access", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects access to $ADMIN share. The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure. Also be very cautious to previously check if this is not commonly used by your administrators as to remotely manage your computers.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "244b4381-9351-4c61-ac43-425c2d2f21aa", "name": "Suspicious Windows Script Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects wscript.exe or cscript.exe executing a script in user directories (C:\\ProgramData or C:\\Users) with a .txt extension, which is very suspicious. It could strongly correspond to a malware dropper, as seen during SquirrelWaffle maldoc campaign.", "attack": ["execution - Command and Scripting Interpreter (T1059)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a5eb473a-6005-4976-9d62-2995f85daa12", "name": "MalwareBytes Uninstallation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects command line being used by attackers to uninstall Malwarebytes.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b5624a26-9a00-4599-86b8-0f14048ea295", "name": "Mustang Panda Dropper", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects specific process parameters as used by Mustang Panda droppers", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a3d00d0d-b6fc-4b5a-a0c6-6cd7c1517566", "name": "Spyware Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring).", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "636a2fc0-d6c6-4dd9-a87f-7f86c20a5163", "name": "Kerberos Pre-Auth Disabled in UAC", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "The rule identify a change performed on a domain user object that disables Kerberos Pre-Authentication", "attack": ["credential-access - AS-REP Roasting (T1558.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c3d29b84-d7b8-406a-b951-dfa9b60ba618", "name": "Cobalt Strike Named Pipes", "effort": "master", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects the pipes established by Cobalt Strike to allow a communication between its beacons.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "65cf7088-7967-4f25-be9a-02b05f8820b0", "name": "Malspam Execution Registering Malicious DLL", "effort": "elementary", "data_sources": ["DLL monitoring", "File monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the creation of a file in the C:\\Datop folder, or DLL registering a file in the C:\\Datop folder. Files located in the Datop folder are very characteristic of malspam execution related to Qakbot or SquirrelWaffle. Prerequisites are Logging for File Creation events, which can be done in the Sysmon configuration (events 11), for the first part of the pattern (TargetFilename).", "attack": ["execution - Malicious File (T1204.002)", "execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5fce554b-d8fb-4615-8f46-3d7e6edef182", "name": "Compression Followed By Suppression", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when a file is compressed and deleted.", "attack": ["stealth - File Deletion (T1070.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "97ea4517-1d60-4da6-a9eb-9b17ab0a8419", "name": "Microsoft Malware Protection Engine Crash", "effort": "intermediate", "data_sources": ["Windows Error Reporting", "Windows event logs"], "description": "Detects a crash of the Microsoft Malware Protection Engine process (MsMpEng.exe), which is suspicious and could be related to an attacker disabling the Windows protection.", "attack": ["stealth - Exploitation for Stealth (T1211)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "043c8c79-3452-44d2-8f21-7b03b8532548", "name": "DNS ServerLevelPluginDll Installation", "effort": "master", "data_sources": ["DLL monitoring", "Process command-line parameters", "Windows event logs", "Windows Registry"], "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Windows Registry or in command line, which can be used to execute code in context of the DNS server (restart required). To fully use this rule, prerequesites are logging for Registry events in the Sysmon configuration (events 12, 13 and 14).", "attack": ["execution - DLL Side-Loading (T1574.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "aa416c69-e9d7-417a-90f1-a29e1cf065e3", "name": "Csrss Child Found", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This process  should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "3a9dbfaa-864f-48ec-8cff-65063fd8086f", "name": "Grabbing Sensitive Hives Via Reg Utility", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b344066e-8710-11eb-8dcd-0242ac130003", "name": "ETW Tampering", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion", "attack": ["stealth - Indicator Removal (T1070)", "stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b4d66207-82ae-485b-bb17-acde55768451", "name": "Suspicious Scripting In A WMI Consumer", "effort": "intermediate", "data_sources": ["Windows event logs", "WMI Objects"], "description": "Detects suspicious scripting in WMI Event Consumers. The rule requires to log WMI Consumers, which can be done through Sysmon's Event IDs 20 and 21.", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "01f0e538-fe49-4aa1-b5cc-f38e8a3f5d32", "name": "File Or Folder Permissions Modifications", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.", "attack": ["defense-impairment - Windows Permissions (T1222.001)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7e72b6ee-668b-437b-8fda-fbc5eb1a3761", "name": "Password Change On Directory Service Restore Mode (DSRM) Account", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1039a0e3-9410-4de1-84a2-039c00c61495", "name": "Microsoft Defender Antivirus Signatures Removed With MpCmdRun", "effort": "elementary", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used).", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6102214f-76fb-4c2c-9d59-f99c210d4bd4", "name": "Possible Replay Attack", "effort": "master", "data_sources": ["Windows event logs"], "description": "This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5925ae97-0174-42cf-8910-1ceaf38cbc51", "name": "Windows Registry Persistence COM Key Linking", "effort": "master", "data_sources": ["Process command-line parameters", "Windows event logs", "Windows Registry"], "description": "Detects COM object hijacking via TreatAs subkey. Logging for Registry events is needed in the Sysmon configuration with this kind of rule `<TargetObject name=\"testr12\" condition=\"end with\">\\TreatAs\\(Default)</TargetObject>`.", "attack": ["persistence - Component Object Model Hijacking (T1122)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d1730225-97cd-414a-8538-92986d07bfa2", "name": "Windows Firewall Changes", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects changes on Windows Firewall configuration", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "98f8d96e-ac28-4aaa-a718-bc62d6dddfd3", "name": "Remote Monitoring and Management Software - AnyDesk", "effort": "master", "data_sources": ["Process monitoring", "Network protocol analysis", "Services", "Windows Registry", "File monitoring"], "description": "Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Wiz Audit Logs", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "TEHTRIS EDR", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "Cisco IOS router and switch", "Proofpoint TAP", "Trapster (by Ballpoint) [BETA]", "Trellix EPO [ALPHA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trellix ePO (on-prem)", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "Windows Log Insight", "Unbound", "SonicWall Firewall", "ESET Protect", "Google Kubernetes Engine", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos EDR", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Jizo AI / Sesame it NDR", "VMware ESXi", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "Kaspersky Endpoint Security", "IBM iSeries", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "b8b4743b-1803-42d0-bc49-0504bd4f60be", "name": "Domain Trust Discovery Through LDAP", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. \"trustedDomain\" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.)", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e736f8d8-c2c5-41d9-85e4-2dce5ac2c7ee", "name": "WMImplant Hack Tool", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "WMImplant is a powershell framework used by attacker for reconnaissance and exfiltration, this rule attempts to detect WMimplant arguments and invokes commands. ", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8332984c-db1d-4464-bb9d-a7a501c830e4", "name": "COM Hijack Via Sdclt", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute', to bypass UAC using 'sdclt.exe'.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "c9ed5d2e-d22b-4e11-b1b0-3992ba635170", "name": "Taskhostw Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Taskhostw process was executed by a non-legitimate parent process. Taskhostw is a software component of Windows service start manager, it starts DLL-based Windows services when the computer boots up.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "002184b5-748e-4ff0-8b6b-d2a74959b81a", "name": "Detection of default Mimikatz banner", "effort": "intermediate", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detection of default Mimikatz banner in powershell events", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "789edb8a-8722-11eb-8dcd-0242ac130003", "name": "Exploit For CVE-2017-0261 Or CVE-2017-0262", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 through command line or PowerShell script. This is a very basic detection method relying on the rare usage of EPS files from Winword.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "ESET Protect", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "562b389a-1eff-4353-be6b-cd0b3897dcc2", "name": "Leviathan Registry Key Activity", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "789f3a8c-7c0b-4b49-b1dd-eecc6cefd531", "name": "Usage Of Sysinternals Tools", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry. The rule detects it either from the command line usage or from the regsitry events. For the later prerequisite is logging for registry events in the Sysmon configuration (events 12 and 13).", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5afb625c-c0ac-40b2-8cd5-b812796bb416", "name": "Windows Sandbox Start", "effort": "master", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detection of Windows Sandbox started from the command line with a config file or interactively using a WSB file.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "Stormshield SES", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ae9621bf-4af2-419e-943d-3b62436feeea", "name": "Change Default File Association", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "attack": ["persistence - Change Default File Association (T1546.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c345b95e-b9f4-4192-8c6b-703cc86935e7", "name": "Blue Mockingbird Malware", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Attempts to detect system changes made by Blue Mockingbird", "attack": ["persistence - Modify Registry (T1112)", "execution - Windows Management Instrumentation (T1047)", "privilege-escalation - At (T1053.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "87b56b41-89e8-41fd-b6dd-e70b1f5f15d7", "name": "PowerShell Download From URL", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects a Powershell process that contains download commands in its command line string.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cb79d0a8-2ea7-41e6-9723-6fe357d9b2cd", "name": "Microsoft Defender Antivirus Exclusion Configuration", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Anti-virus"], "description": "Detects when an exclusion configuration change is made to Microsoft Windows Defender (adding either a path or process bypass)", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "75b9eae4-e974-40a2-92d4-3b2388d05404", "name": "SAM Registry Hive Handle Request", "effort": "advanced", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects handles requested to SAM registry hive", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "9627d3c9-e0cb-44de-877e-0eece88632f1", "name": "Searchprotocolhost Child Found", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "SearchProtocolHost.exe is part of the Windows Indexing Service, an application that indexes files from the local drive making them easier to search. This is a crucial part of the Windows operating system. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "ab7baed3-30cf-4e7a-9eba-04a34b58581d", "name": "PowerShell Credential Prompt", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential(\"Need credentials\", \"Please enter your user name and password.\", \"\", \"NetBiosUserName\"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "87bbf0bf-3fdb-4140-8d3c-7e9f7a9e7de9", "name": "SolarWinds Suspicious File Creation", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is \".exe\", \".ps1\", \".jpg\", \".png\" or \".dll\".", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "Postfix", "CrowdStrike Falcon", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7c697f98-dea5-4d9b-8266-9a0ddc145c91", "name": "Netsh Allowed Python Program", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b8d4c4e7-e464-4558-8683-5223eac0fd7e", "name": "Suspicious SAM Dump", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects suspicious SAM dump to AppData repository, as cause by QuarksPwDump and other password dumpers. Logging for Microsoft-Windows-Kernel-General Event ID 16 or Sysmon Event ID 11 is needed.", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b9a3eb18-7b0f-4408-8e4b-c697d1eea8e6", "name": "WerFaultSecure Abuse", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detect usage of the software vulnerability of WerFaultSecure to suspend the processes of EDRs, and bypass detection. It has been implemented in the tool EDR-Freeze.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "762653fa-aa40-418d-8e33-c1c5b4ef92ee", "name": "DHCP Callout DLL Installation", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required).", "attack": ["execution - DLL Side-Loading (T1574.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8f3d3377-e095-497b-9e6e-ccd6c9a20a90", "name": "Suspicious XOR Encoded PowerShell Command Line", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation  method to b64 encoded commands.", "attack": ["execution - PowerShell (T1059.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "stealth - Obfuscated Files or Information (T1027)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1802d30d-4ca0-454f-911e-7216c57e031d", "name": "Dllhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "752b27bb-70d7-4f9c-82ab-6b10f8fcd164", "name": "User Couldn't Call A Privileged Service LsaRegisterLogonProcess", "effort": "master", "data_sources": ["Windows event logs"], "description": "The LsaRegisterLogonProcess function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. This rule requires to log the Event ID 4673, which can be done by updating the Audit Policy.", "attack": ["credential-access - Kerberoasting (T1558.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "285ce2c5-edc4-4759-9466-250722e72655", "name": "Remote System Discovery Via Telnet", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of the protocol telnet to access information.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "d6e348c9-35d2-42a5-8a27-2085518a10c8", "name": "Suspicious Desktopimgdownldr Execution", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects a suspicious Desktopimgdownldr execution. Desktopimgdownldr.exe is a Windows binary used to configure lockscreen/desktop image and can be abused to download malicious file.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)", "persistence - Modify Registry (T1112)", "stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "080fe7db-82bb-497e-a501-a6601c88fa64", "name": "Net.exe User Account Creation", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Identifies creation of local users via the net.exe command", "attack": ["persistence - Create Account (T1136)", "persistence - Local Account (T1136.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e82cf899-c793-4e70-97c4-2624dfaccca6", "name": "Phorpiex Process Masquerading", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore On-Prem [BETA]", "Systancia Cleanroom", "Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "Stormshield SES", "ESET Protect", "Google Kubernetes Engine", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Kaspersky Endpoint Security", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "c2fb9898-12b2-403c-9252-2591abdc5ca5", "name": "Taskhost or Taskhostw Suspicious Child Found", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Task Host manages pop-up windows when users try to close them in a Windows environment. Taskhost.exe triggers the host process for the task. Task Host is a Windows process designed to alert users when dialog boxes close. It is usually launched when restarting and shutting down a PC, and checks if all programs have been properly closed. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "bc5ba26d-5227-4d2a-9849-d7540b140460", "name": "Malicious Browser Extensions", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations.", "attack": ["persistence - Software Extensions (T1176)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c8809a00-b1b1-4ff3-bf15-7fceb1790370", "name": "System Network Connections Discovery", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects system network connections discovery via powershell and cmd.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "3705b1c4-1dd2-4995-95ce-994b20905674", "name": "Credential Dump Tools Related Files", "effort": "advanced", "data_sources": ["File monitoring"], "description": "Detects processes or file names related to credential dumping tools and the dropped files they generate by default.", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Broadcom Siteminder", "Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "Mimecast Email Security", "VMware ESXi", "Google Workspace / ChromeOS", "Cato Networks SASE", "Trellix Network Security", "CyberArk Audit Logs", "Cisco Secure Web Appliance", "Trellix Advanced Threat Defense", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Proofpoint PoD", "BeyondTrust Privileged Remote Access Session", "Gatewatcher AionIQ V103", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "Fortinet FortiMail", "One Identity SPS", "Sophos Analysis Threat Center", "CyberArk Digital Vault", "Tanium", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Fortinet FortiProxy", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "86c75fa1-1088-4476-b773-a4e289dcb703", "name": "Suspicious ADSI-Cache Usage By Unknown Tool", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. It needs file monitoring capabilities (Sysmon Event ID 11 with .sch file creation logging).", "attack": ["command-and-control - Protocol or Service Impersonation (T1001.003)"], "intake-formats": ["Azure Windows", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Kaspersky Endpoint Security", "Trend Micro Vision One Workbench Alerts [BETA]", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "Tanium", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "WithSecure Elements", "Palo Alto Cortex XDR (EDR)", "Windows", "TEHTRIS EDR", "Elastic Winlogbeat"]}, {"uuid": "5a0e7027-440c-46b4-9170-9729b4591a2e", "name": "Gpscript Suspicious Parent", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Gpscript defines GPO scripts for users and applies them to login / logout sessions. This rule checks if the parent of this process is the supposed one (svchost) or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "72a1e356-f797-42eb-9ba6-da8efbe3c903", "name": "OceanLotus Registry Activity", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects registry keys created in OceanLotus (also known as APT32) attack. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "25b09bc2-764e-4e3a-957d-963d84c76d5c", "name": "ACLight Discovering Privileged Accounts", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of ACLight tool. This tool aims to discover privileged accounts by scanning the network.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "SentinelOne Cloud Funnel 2.0", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "56f0b1ff-3ace-49e4-a15a-e14e497ac81b", "name": "Turla Named Pipes", "effort": "elementary", "data_sources": ["Named Pipes", "Windows event logs"], "description": "Detects a named pipe used by Turla group samples. Prerequisites: Logging for PipeEvents is needed in Sysmon config", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "07f8ec89-1271-4142-9d01-08ea76a071cc", "name": "Suspicious PrinterPorts Creation (CVE-2020-1048)", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects new commands that add new printer port which point to suspicious file", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1ac56867-c34a-4a19-b73a-2df7151a8e12", "name": "Correlation Multi Service Disable", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The rule detects a high number of services stopped or de-activated in a short period of time.", "attack": ["impact - Service Stop (T1489)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "5eb6a468-d566-449c-8aaa-62d58be21ecc", "name": "Suspicious Rundll32.exe Executions", "effort": "intermediate", "data_sources": ["DLL monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The process rundll32.exe executes a newly dropped DLL with update /i in the command line. This specific technic was observed at least being used by the IcedID loading mechanism dubbed Gziploader. Some other detections are related to LOLBAS (Living Off The Land Binaries, Scripts and Libraries) usages (like the COM registering).", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6797e888-619a-4d22-98c4-ee2129a04630", "name": "RedMimicry Winnti Playbook Dropped File", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects actions caused by the RedMimicry Winnti playbook", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "6e318b4a-5590-4b3e-9879-42f68a235e9d", "name": "Network Sniffing Windows", "effort": "intermediate", "data_sources": ["File monitoring", "Host network interface", "Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0318eb70-c478-4451-92c6-0f7a3daca373", "name": "MavInject Process Injection", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS)", "attack": ["privilege-escalation - Dynamic-link Library Injection (T1055.001)", "stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d670eb5b-2d94-4407-a677-cbda8efbd5da", "name": "Active Directory Replication from Non Machine Account", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. It requires a configuration step where the legit service account should be added to the exclusion list.", "attack": ["credential-access - DCSync (T1003.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "8959633b-8b2c-4b66-9850-010f8c4bec02", "name": "Microsoft Defender Antivirus History Directory Deleted", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Windows Defender history directory has been deleted. This could be an attempt by an attacker to remove its traces.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "563cccb9-2a2c-4dfa-962d-9b50e3bc7ba9", "name": "LSASS Memory Dump", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects process accessing LSASS memory which is typical for credentials dumping tools. The rule requires Sysmon EventID 10 to work as it is based on the GrantedAccess mask.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "82a29b6e-65cd-489e-aa1d-9246dc52b9c1", "name": "Njrat Registry Values", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "Windows Registry"], "description": "Detects specifis registry values that are related to njRat usage.", "attack": ["privilege-escalation - Boot or Logon Autostart Execution (T1547)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6e583c47-95ad-43e5-9664-496ca1ffdf72", "name": "DNS Query For Iplookup", "effort": "master", "data_sources": ["Windows event logs", "Network protocol analysis", "Process use of network", "Web proxy"], "description": "Detects dns query of observables tagged as iplookup.", "attack": ["reconnaissance - Gather Victim Host Information (T1592)"], "intake-formats": ["Keycloak Events", "OpenSSH", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "VMware ESXi", "ESET Protect", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5e5ed096-880a-47c9-ab51-d5f94b5f3a44", "name": "Microsoft Office Spawning Script", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects Microsoft Office process (word, excel, powerpoint) spawning wscript.exe or cscript.exe. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware. ", "attack": ["execution - Visual Basic (T1059.005)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "48ebecd8-4de3-11ec-81d3-0242ac130003", "name": "RDP Session Discovery", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.", "attack": ["discovery - System Owner/User Discovery (T1033)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6124e5cf-87bd-4f04-beca-37188633a1c7", "name": "Unsigned Driver Loaded From Suspicious Location", "effort": "advanced", "data_sources": ["Kernel drivers", "Loaded DLLs"], "description": "Detects when a driver is unsigned and loaded from a suspicious directory.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "eb872e56-27c1-4955-a7e8-e9fd8136541f", "name": "Logonui Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It doesn't only make it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This rule checks if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a7d43735-57ac-4ebc-9c79-c49585e80ca2", "name": "Windows Registry Persistence COM Search Order Hijacking", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects potential COM object hijacking leveraging the COM Search Order. Logging for Registry events is needed, it can be done with Sysmon's Event IDs 12 and 13. Alert filters are highly encouraged for such kind of rule.", "attack": ["execution - DLL (T1574.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "d661cc14-7a5f-4340-ac3e-a29cb7f709d8", "name": "LSASS Access From Non System Account", "effort": "master", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detects LSASS Access from Non System Account (e.g. Mimikatz)", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "46748666-f104-4e5a-baeb-b4ae66216d57", "name": "Credential Dumping By LaZagne", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects LSASS process access by LaZagne for credential dumping. ", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "a82fa4da-6a5c-4776-8615-e02d168c8718", "name": "Screenconnect Remote Execution", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detect cmd or powershell remote execution cmdline via ScreenConnect", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "fd8af1a5-1abd-4a87-95d5-8c29511a50ab", "name": "PsExec Process", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. ", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "Windows Log Insight", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "db286a17-759d-4a98-9765-b6606212980f", "name": "Malicious Named Pipe", "effort": "intermediate", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects the creation of a named pipe used by known malware. Prerequisites are logging for PipeEvents in Sysmon config (Event ID 17 and 18).", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "9d8b21d6-76ca-48b7-b37a-54ad6f68489b", "name": "HTML Smuggling Suspicious Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring", "File monitoring"], "description": "Based on several samples from different botnets, this rule aims at detecting HTML infection chain by looking for HTML created files followed by suspicious files being executed.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Google Workspace / ChromeOS", "Cato Networks SASE", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Varonis Data Security", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch"]}, {"uuid": "4acd0304-84f7-45f1-a006-1e528052a0b9", "name": "Chafer (APT 39) Activity", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects previous Chafer (APT 39) activity attributed to OilRig as reported in Nyotron report in March 2018.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)", "privilege-escalation - Windows Service (T1543.003)", "persistence - Modify Registry (T1112)", "command-and-control - DNS (T1071.004)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "ca46a4b4-1dc1-4db2-956b-c47e43908fea", "name": "Powershell Web Request", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects the use of various web request methods executed remotely via Windows PowerShell.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "CrowdStrike Falcon", "VMware ESXi", "ESET Protect", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "aa56afe1-cdea-4a08-9083-a9dea8f097cf", "name": "Suspicious Kerberos Ticket", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detect suspicious Kerberos ticket based on on their parameters which suggest that it could be forged.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)", "credential-access - Steal or Forge Authentication Certificates (T1649)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b833f0dc-b682-4151-9f75-db2fc16e6e7f", "name": "ISO LNK Infection Chain", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with `host.name`.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Workspace / ChromeOS", "Cato Networks SASE", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "IBM iSeries", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows"]}, {"uuid": "440aa4b1-56d2-4622-b414-3fc38bd4fbf5", "name": "Certify Or Certipy", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Trellix ePO (on-prem)", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "F5 BIG-IP", "VMware ESXi", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries", "WALLIX Bastion"]}, {"uuid": "90f75d53-9660-4d0b-aaa9-bb8d25faf9f1", "name": "Copying Sensitive Files With Credential Data", "effort": "elementary", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects copy of files with well-known filenames (sensitive files with credential data) using esentutl. This requires Windows Security event log with the Detailed File Share logging policy enabled.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "44c29ab4-0e7c-44c9-b1a2-0501c8ce6d2c", "name": "Raccine Uninstall", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b0d73941-2c95-4472-9e19-a9c2055e0139", "name": "Anomaly Secret Store Access", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high access to secrets store folder", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": []}, {"uuid": "5056938a-e4e4-48a1-9e87-cab615953eff", "name": "Active Directory User Backdoors", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs"], "description": "Detects scenarios where the attacker controls another user or computer account without having to use their credentials.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "31aa72ec-1732-4d71-99e9-bce6d16b72f1", "name": "CMSTP UAC Bypass via COM Object Access", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d6953ee3-1ca2-4892-89e2-4d83ec27a4e4", "name": "Taskhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Taskhost process was executed by a non-legitimate parent process. Taskhost is the process of the Windows Task Manager which lists the processes that are currently running on the computer system.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "fda5c184-37a1-4ed8-9f7a-cbd29b5cc5df", "name": "Correlation Internal Ntlm Password Spraying", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect multiple NTLM authentication failed on several account from one source", "attack": ["credential-access - Password Spraying (T1110.003)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "e69bad49-6e8c-4bd8-89e0-2ee45c7009ce", "name": "OneNote Embedded File", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects creation or uses of OneNote embedded files with unusual extensions.  ", "attack": ["stealth - Software Packing (T1027.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Trellix Network Security", "CyberArk Audit Logs", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Tanium", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "5e44c927-352d-4801-a375-81d959f20a52", "name": "Suspicious Headless Web Browser Execution To Download File", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer.", "attack": ["discovery - System Network Configuration Discovery (T1016)", "discovery - System Information Discovery (T1082)", "command-and-control - Ingress Tool Transfer (T1105)", "stealth - Hidden Window (T1564.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "05ed23d0-27f2-4fcb-8e9e-6d2e3481cc52", "name": "KeePass Config XML In Command-Line", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "7ebce905-306d-42eb-8945-aa6bfa2881b5", "name": "Sticky Key Like Backdoor Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13).", "attack": ["persistence - Accessibility Features (T1546.008)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "cd699737-bd8e-4e7b-a692-78eed4f358ea", "name": "Rubeus Tool Command-line", "effort": "advanced", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - Kerberoasting (T1558.003)", "lateral-movement - Pass the Ticket (T1550.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b84eba5c-aa97-4095-96f5-126b115d60b5", "name": "Windows Update LolBins", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "This rule try to detect a suspicious behavior of wuauclt.exe (windows update client) that could be a lolbins. Wuauctl.exe could be used to execute a malicious program.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "6c9e73ab-cf3a-4e53-839d-1beed91d492c", "name": "Ntfsinfo Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Detects when the command ntfsinfo is used. An attacker can access to information on the volume from NTFS and have a directory dump of NTFS files.", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4cc8b8e4-8f6e-4b23-b87f-a8dc4b3b9a05", "name": "Suspicious DLL side loading from ProgramData", "effort": "intermediate", "data_sources": ["Loaded DLLs", "DLL monitoring", "Windows event logs"], "description": "Detects suspicious DLL side-loading from C:\\ProgramData where the DLL is not signed.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "294f8728-57ee-478d-bf32-6252184f4a56", "name": "Process Memory Dump Using Rdrleakdiag", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "07f5a079-5c40-4ffa-9511-6f57675f6f7d", "name": "PowerShell Data Compressed", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detects data compression through a PowerShell command (could be used by an adversary for exfiltration).", "attack": ["collection - Archive Collected Data (T1560)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "990ed23b-d598-45ae-8b43-156538ee9d1c", "name": "Microsoft Office Creating Suspicious File", "effort": "master", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.", "attack": ["execution - Malicious File (T1204.002)", "execution - Command and Scripting Interpreter (T1059)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "IBM AIX", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "66987b18-cd6c-47a9-9c3b-5875ee9edadf", "name": "Formbook File Creation DB1", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects specific file creation (Users\\*\\AppData\\Local\\Temp\\DB1) to store data to exfiltrate (Formbook behavior). Logging for Sysmon event 11 is usually used for this detection. ", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Azure Windows", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Kaspersky Endpoint Security", "Trend Micro Vision One Workbench Alerts [BETA]", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "Tanium", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "WithSecure Elements", "Palo Alto Cortex XDR (EDR)", "Windows", "TEHTRIS EDR", "Elastic Winlogbeat"]}, {"uuid": "3d0d02b2-525d-4a65-8f2d-c2f8090f1763", "name": "GPO Executable Delivery", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects MSI binaries run through GPOs.", "attack": ["privilege-escalation - Group Policy Modification (T1484.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bb1733db-3eda-4f00-bd13-e6ae600215ce", "name": "Malicious PowerShell Keywords", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects keywords from well-known PowerShell exploitation frameworks", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "bdd8fab7-7f9a-407a-96c7-9c6927dc1f6c", "name": "Openfiles Usage", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects when the command openfiles, to get information on files opened remotely, is used.", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3d446ca3-0f22-4386-a9fd-4f4c6a0b6e08", "name": "IcedID Execution Using Excel", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Excel spawning a process (rundll32 or wmic) running suspicious command-line. This behaviour could correspond to IcedID activity. ", "attack": ["execution - Malicious File (T1204.002)", "persistence - Office Template Macros (T1137.001)", "stealth - Regsvr32 (T1218.010)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7c552eec-74a6-4981-b410-4fae0f89588f", "name": "Disable .NET ETW Through COMPlus_ETWEnabled", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters", "Process monitoring", "PowerShell logs"], "description": "Detects potential adversaries stopping ETW providers recording loaded .NET assemblies. Prerequisites are logging for Registry events or logging command line parameters (both is better). Careful for registry events, if SwiftOnSecurity's SYSMON default configuration is used, you will need to update the configuration to include the .NETFramework registry key path. Same issue with Windows 4657 EventID logging, the registry path must be specified.", "attack": ["persistence - Modify Registry (T1112)", "stealth - Disable Windows Event Logging (T1562.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e1483826-c586-42e5-b59f-c2b8feae04c6", "name": "Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detects PowerShell SnapIn command line or PowerShell script, often used with Get-Mailbox to export Exchange mailbox data.", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5fe2818a-9495-49a3-b53f-c7b28b02fc3a", "name": "Suspicious Windows Installer Execution", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server.", "attack": ["stealth - Msiexec (T1218.007)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0238e3ce-d9f1-4032-a588-2320f7c5cebb", "name": "Suspicious TGS requests (Kerberoasting)", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule aims at detecting the Kerberoasting technique, when an attacker requests TGS in order to crack them offline. Toease its task, the attacker requests tickets with weak encryption (such as RC4_HMAC_MD5). The rule therefore detects when an user is requesting 5 TGS for different users in 5 minutes.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "89974e5e-bcec-402d-b5bb-14210c16bb16", "name": "Disable Security Events Logging Adding Reg Key MiniNt", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.  Prerequisites: Logging for Registry events for this specific registry key is needed in the Sysmon configuration (events 12, 13 and 14).", "attack": ["stealth - Disable Windows Event Logging (T1562.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "72a32869-3146-4051-a3a5-3b35bba6d12e", "name": "Lsass Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This rule checks if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "aab3bd39-a96a-429d-aa17-58217b87066a", "name": "PowerShell Suspicious Context Changes", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects some PowerShell context changes that could be used to create an interactive shell and bypass some security measures in terms of logging and execution.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "be611007-f660-4d77-bc22-3324f50da1c9", "name": "Python Opening Ports", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects when the Windows Filtering Platform has permitted Python.exe to listen on a port for incoming connections. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else. ", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "dfe59316-6998-4f01-bf1e-54272bf4702d", "name": "Credential Dumping-Tools Common Named Pipes", "effort": "master", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects well-known credential dumping tools execution via specific named pipes. Prerequisites: Logging for PipeEvents is needed in Sysmon config", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "1ed77d3b-81fb-4f4d-994e-5ffa85e1a8d2", "name": "Adidnsdump Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects use of the tool adidnsdump for enumeration and discovering DNS records.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "RSA SecurID", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "F5 BIG-IP", "CrowdStrike Falcon", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix Network Security", "CyberArk Audit Logs", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "Netskope", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4bda48a7-2890-4af0-95b7-a429904bfe13", "name": "Password Dumper Activity On LSASS", "effort": "intermediate", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "14e6ee4d-c2f0-4d77-b6dd-c78dbd4ba038", "name": "Dism Disabling Windows Defender", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects windows defender disabled by dism.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ac3097a8-3f3e-478c-90ff-75c1457c2fdc", "name": "Suspicious Finger Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. An attacker can use finger to silently retrieve a command, a script or a payload from a remote server. For example, the tool Darkfinger-C2 uses this technique to download files from the C2 channel.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "655c8218-6a8d-47a4-84c0-07df01bd251e", "name": "New DLL Added To AppCertDlls Registry Key", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - AppCert DLLs (T1546.009)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a4caed33-d86a-496c-8d97-a8fc87486502", "name": "Microsoft Defender Antivirus Tampering Detected", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detection of Windows Defender Tampering, from definitions' deletion to deactivation of parts or all of Defender.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Indicator Removal (T1070)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "e3457abd-b1cb-4a9a-9d66-6b62133f8b6c", "name": "Ursnif Registry Key", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects a new registry key created by Ursnif malware. The rule requires to log for Registry Events, which can be done using SYsmon's Event IDs 12,13 and 14.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "244bc594-cfc6-4aee-91f8-3367789a1f5a", "name": "RDP Login From Localhost", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects RDP login from localhost source address, which may be a tunnelled login to bypass network restrictions.", "attack": ["lateral-movement - Remote Desktop Protocol (T1021.001)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "85b05716-b586-463a-b460-48557a2f2c11", "name": "Schtasks Persistence With High Privileges", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detection of scheduled task with high privileges used by attacker for persistence.", "attack": ["privilege-escalation - At (T1053.002)", "privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4891a71e-5f18-4b33-8dc2-0035a07c5aa5", "name": "Language Discovery", "effort": "advanced", "data_sources": ["Windows Registry"], "description": "Detects when a user makes a query on the language of the system.", "attack": ["discovery - System Language Discovery (T1614.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "4a317b95-ae41-42ff-b771-8f0b423b82d7", "name": "Suspicious Mshta Execution From Wmi", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects mshta executed by wmiprvse as parent. It has been used by TA505 with some malicious documents.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "940fb679-26c6-44f2-898e-240a2d8f98e9", "name": "AD Privileged Users Or Groups Reconnaissance", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect privileged users or groups reconnaissance based on 4661 Event ID and known privileged users or groups SIDs. If the user account name is not a known admin it is suspicious.", "attack": ["discovery - Account Discovery (T1087)", "discovery - Domain Account (T1087.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "a4e7431f-7114-42d9-a5f5-957a8ba98469", "name": "Office Application Startup Office Test", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started. An adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system.", "attack": ["persistence - Office Test (T1137.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e7afc80b-8b35-4967-b213-554117c46edf", "name": "Searchprotocolhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Search Protocol Host process was executed by a non-legitimate parent process. Search Protocol Host is part of the Windows Indexing Service, a service indexing files on the local drive making them easier to search.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e6b63976-14da-44bc-88f4-b89a656306ac", "name": "XCopy Suspicious Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed.", "attack": ["credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "146c8187-a4a6-480a-b681-c28f5d95c91d", "name": "Suspicious Regasm Regsvcs Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "catch abuse of regsvcs and regasm lolbin by attacker", "attack": ["stealth - Regsvcs/Regasm (T1218.009)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "af2bb186-13d5-473f-b4df-95d8fe6ddae8", "name": "SCM Database Privileged Operation", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects non-system users performing privileged operation on the SCM database", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "cf1ff94f-9041-4a19-bac8-a8daba0ef1ae", "name": "RDP Sensitive Settings Changed", "effort": "advanced", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects changes to RDP terminal service sensitive settings. Logging for registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "571c0bd6-0ef3-472a-851a-24776ea7a9db", "name": "Anomaly Possible Sysvol Dump", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high access to sysvol files.", "attack": ["reconnaissance - Gather Victim Identity Information (T1589)"], "intake-formats": []}, {"uuid": "b8c71085-a995-48be-afef-e69afd890fdc", "name": "PowerShell Invoke-Obfuscation Obfuscated IEX Invocation", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework", "attack": ["stealth - Obfuscated Files or Information (T1027)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "76d74ba4-0fb5-4716-b3c4-153151ad923a", "name": "Netsh Allow Command", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Netsh command line to allow a program to pass through firewall.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "2577b765-2fcd-482c-bcb9-322834834039", "name": "Svchost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the svchost.exe process was executed by a non-legitimate parent process. Svchost (Service Host Process) is a generic host process name for services that run from dynamic-link libraries (DLLs).", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "b81512eb-16c7-4ded-9742-206562af6c14", "name": "Exploited CVE-2020-10189 Zoho ManageEngine", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)", "execution - PowerShell (T1059.001)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "WithSecure Elements", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bd714c87-b75e-4132-bb5b-19c2d0cd093d", "name": "Correlation Priv Esc Via Remote Thread", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detect a process that obtains system privilege via a remote thread", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "ESET Protect", "NucleonEDR", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Broadcom/Symantec Endpoint Security", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows"]}, {"uuid": "76d328dc-d88f-4f3e-af05-c01a49f70904", "name": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module. Logging for Registry events is needed, it can be done in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Office Application Startup (T1137)", "persistence - Event Triggered Execution (T1546)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "0397961b-e068-4a64-bfa2-f568e57eff69", "name": "Legitimate Process Execution From Unusual Folder", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects the execution of a legitimate, windows built-in process name from an unusual / suspicious folder. Legitimate folders are c:\\windows\\system32\\, \\SystemRoot\\system32\\, c:\\windows\\syswow64\\ and c:\\windows\\winsxs\\. Many malwares/attackers use legitimate names to masquerade but if they are not Administrator yet, they often can't write file into these legitimate folders.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Akamai Guardicore On-Prem [BETA]", "CrowdStrike Falcon", "ESET Protect", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Broadcom/Symantec Endpoint Security", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a96ea8b7-9296-41a8-9396-889cc5a96078", "name": "PowerShell Execution Via Rundll32", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll Rule modified", "attack": ["execution - Rundll32 (T1085)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "931d340a-b02b-4c2a-8f57-b733dc3d44b3", "name": "SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the SeEnableDelegationPrivilege right in Active Directory granted to a user of a computer, it would allow control of other AD user objects", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "3a14260c-abd2-4ada-a673-776935ebb441", "name": "MMC20 Lateral Movement", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe.", "attack": ["lateral-movement - Distributed Component Object Model (T1021.003)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "16590703-89ad-4e0f-9c3d-6ec7678be647", "name": "Information Stealer Downloading Legitimate Third-Party DLLs", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects operations that involved legitimate third-party DLLs used by information-stealing malware for data collection on the infected host. This detection rule correlates at least 7 events including the following DLLs - freebl3.dll, vcruntime140.dll, msvcp140.dll, nss3.dll, sqlite3.dll, softokn3.dll, mozglue.dll and libcurl.dll. This behaviour matches activities of several widespread stealer like Vidar, Raccoon Stealer v2, Mars Stealer, etc.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)", "credential-access - Credentials from Password Stores (T1555)", "collection - Data from Local System (T1005)"], "intake-formats": ["Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "VMware ESXi", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "IBM AIX", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "SonicWall Firewall", "Palo Alto Cortex XDR (EDR)", "Windows"]}, {"uuid": "ef5a9c6a-bdd6-4dbe-8c99-d628e9db22a3", "name": "DHCP Server Loaded the CallOut DLL", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded. This would indicate a succesful attack against DHCP service allowing to disrupt the service or alter the integrity of the responses.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "1ebf45bc-bed5-45de-a67e-61e9d8363416", "name": "Suspicious Double Extension", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1c9f3d57-e6e0-4cd2-90e4-5b62a85607bf", "name": "Opening Of a Password File", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Command line detection of common office software opening some password related file. It could be a security breach if an unauthorized user access it.", "attack": ["credential-access - Unsecured Credentials (T1552)", "credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "88635016-2f52-4ebb-a4d5-35a4a6d85a44", "name": "Lsass Access Through WinRM", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects the access of LSASS.exe process through Windows Remote Management (WinRM) protocol. This is often done using Invoke-Mimikatz -ComputerName command, which uses PSRemoting and therefore WinRM. However, this is not limited to the Mimikatz threat and can be done by other tools as well. This rule needs Process Access monitoring, which can be done using Sysmon's event ID 10.", "attack": ["credential-access - LSASS Memory (T1003.001)", "lateral-movement - Windows Remote Management (T1021.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "0469bfe6-471d-44de-a874-3510bded8ee4", "name": "TUN/TAP Driver Installation", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects the installation of the TUN or TAP driver service, this activity could be related to data exfiltration using tunneling techniques. The TUN/TAP Windows Adapter is a network driver that enables some VPN providers to facilitate a VPN connection to their server. TUN/TAP driver is only used by specific VPNs (e.g. OpenVPN, Wireguard), not by thoses based on IKE protocols (e.g. IPsec).", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "204ba402-4d69-49c0-aa8e-38988a93e882", "name": "Elise Backdoor", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects Elise backdoor activity as used by Lotus Blossom", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d71eaa48-288f-4d60-8759-63f9effb84a0", "name": "Check Point Harmony Mobile Application Forbidden", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when someone attempts to access/use a forbidden application.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent", "Check Point Harmony Mobile"]}, {"uuid": "ebc80f73-7a29-45a9-bb7c-aa446a97d9e5", "name": "Suspicious Windows DNS Queries", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects a suspicious Windows command-line process making a DNS query via known abuse text paste web services. This is based on Microsoft Windows Sysmon events (Event ID 22).", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Postfix", "CrowdStrike Falcon", "SonicWall Firewall", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "Akamai Guardicore Cloud [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Windows", "Elastic Winlogbeat"]}, {"uuid": "2b37e436-1ddc-4f2c-8f4c-80732cfc83da", "name": "Werfault DLL Injection", "effort": "intermediate", "data_sources": ["Loaded DLLs", "DLL monitoring", "Windows event logs"], "description": "Werfault DLL search order look first in the current file, which lets an attacker use th legitimate exe to run its own DLL.  ", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "ad9fbd19-cf5e-4a67-90ac-4e457797d04e", "name": "Windows Suspicious Service Creation", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the creation of a new suspicious service - attacker could use MSRPC to create a remote service", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2321039f-6772-4126-bd8f-17e8f5f0adec", "name": "Phosphorus Domain Controller Discovery", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "PowerShell logs"], "description": "According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about the Domain Controller. The command is the following: \"powershell.exe\" /c Get-WMIObject Win32_NTDomain | findstr DomainController", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "9297b21b-390e-4da6-aaba-637e772744f1", "name": "Non-Legitimate Executable Using AcceptEula Parameter", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "108ff651-7beb-4f81-860e-15d4aff9caa7", "name": "CMSTP Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "attack": ["execution - CMSTP (T1191)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "74b4dc86-6f16-409a-8234-6da69a7e4996", "name": "Suspicious Cmd.exe Command Line", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detection on suspicious cmd.exe command line seen being used by some attackers (e.g. Lazarus with Word macros). This requires Windows process command line logging.", "attack": ["execution - Windows Command Shell (T1059.003)", "stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e4b93e01-4831-4e27-b4b7-f4a8b5b74d8b", "name": "Anomaly Bruteforce Disabled Users", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high number of TGT failed or NTLM authent failed associate to error code account disabled who could indicate a brute force attack", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "4737a5a2-0260-4219-9cd2-9dfac273f2c7", "name": "Wmic Service Call", "effort": "intermediate", "data_sources": ["Process command-line parameters", "PowerShell logs", "Windows event logs"], "description": "Detects either remote or local code execution using wmic tool.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1a92bab6-55fc-465f-8997-e82ee22bf7fe", "name": "CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Loaded DLLs", "DLL monitoring", "File monitoring"], "description": "Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "IBM AIX", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "dbdc0d79-58ea-4c58-9835-6f16ea2a5d22", "name": "Suspicious Taskkill Command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects rare taskkill command being used. It could be related to Baby Shark malware.", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - PowerShell (T1059.001)", "discovery - Query Registry (T1012)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "12ca53fd-8f6a-4556-a5a5-7b40625b4acc", "name": "Usage Of Procdump With Common Arguments", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns.", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "554652de-dfa0-4e1a-a342-44a7dbae5466", "name": "Mimikatz Basic Commands", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Windows event logs"], "description": "Detects Mimikatz most popular commands. ", "attack": ["privilege-escalation - Account Manipulation (T1098)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d14c1bc0-2781-475f-9bc0-b5afa2105a66", "name": "Credential Harvesting Via Vaultcmd.exe", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects when the process vaultcmd is used for credential harvesting.", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f597a828-2c6a-4452-9e24-0ce7cd31fb81", "name": "Registry Key Used By Some Old Agent Tesla Samples", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects potential use of the RUN registry key to execute some Agent Tesla samples at boot. Prerequisites are to log for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b38d9bc6-12ba-448c-9cde-b4ff036c5efa", "name": "Compress Data for Exfiltration via Archiver", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects data compressed by specific tools.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "15710f0a-59d0-4ae2-9b13-05ac6f9cf6fe", "name": "Domain Trust Created Or Removed", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.", "attack": ["privilege-escalation - Trust Modification (T1484.002)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "299e7e60-205f-4de6-a6b6-43de66177878", "name": "Sigma Intelligence ErrTraffic PowerShell Command Line", "effort": "elementary", "data_sources": ["PowerShell logs"], "description": "Detects powershell script executed via ErrTraffic infection chain", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "152bf729-1967-46bf-b31b-30d8780477aa", "name": "WMI Persistence Command Line Event Consumer", "effort": "elementary", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects WMI command line event consumers.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "555744c3-546c-48f5-ba5e-37ea54925edc", "name": "NjRat Registry Changes", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "Windows Registry"], "description": "Detects changes for the RUN registry key which happen when a victim is infected by NjRAT. Please note that even if NjRat is well-known for the behavior the rule catches, the rule is a bit larger and could catch other malwares.", "attack": ["privilege-escalation - Boot or Logon Autostart Execution (T1547)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "2eb4eeda-8653-11eb-8dcd-0242ac130003", "name": "DNS Exfiltration and Tunneling Tools Execution", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "PowerShell logs"], "description": "Well-known DNS exfiltration tools execution", "attack": ["exfiltration - Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)", "command-and-control - DNS (T1071.004)", "command-and-control - Standard Encoding (T1132.001)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5d0c9fbe-96f8-4ed8-8c9a-3a0d53e62769", "name": "PowerView commandlets 1", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.", "attack": ["discovery - System Service Discovery (T1007)", "discovery - Remote System Discovery (T1018)", "discovery - Account Discovery (T1087)", "discovery - Network Share Discovery (T1135)", "discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "207d601b-0e68-4326-9150-0da6a23d9038", "name": "Windows Defender Logging Modification Via Registry", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when the logging for defender is disabled in the registry.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "68fbcc4d-b765-4ca8-8635-b0e54ab6830b", "name": "Remote Service Activity Via SVCCTL Named Pipe", "effort": "master", "data_sources": ["Process use of network", "Windows event logs"], "description": "Detects remote service activity via remote access to the svcctl named pipe", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "8283ef9c-dc67-4416-b8f8-642752b2d55b", "name": "Transferring Files With Credential Data Via Network Shares", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects file transfer of sensitive files which contain credential data using network shares.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e63a2bc6-96be-4fd4-8f81-8423240e083b", "name": "Suspicious Hangul Word Processor Child Process", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious Hangul Word Processor (HWP) child process that could indicate an exploitation as used by the Lazarus APT during the Operation Ghost Puppet (2018). This activity could correspond to a maldoc execution related to a .hwp file. Hangul is a proprietary word processing application that supports the Korean written language.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "execution - Exploitation for Client Execution (T1203)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "5c5c61cc-3af7-4aec-b6de-cb8598319107", "name": "Load Of dbghelp/dbgcore DLL From Suspicious Process", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Many tools import dbghelp.dll and / or dbgcore.dll to use the MiniDumpWriteDump function. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Dumpert from OUTFLANK also uses this.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "67722502-8721-11eb-8dcd-0242ac130003", "name": "Exploit For CVE-2015-1641", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects Winword process starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", "attack": ["execution - Exploitation for Client Execution (T1203)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "eee87513-7638-4666-82cf-e8cc124c825f", "name": "NlTest Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "Windows Log Insight", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "89d93ab3-c400-45e2-aa48-6015327b5129", "name": "Impacket Wmiexec Module", "effort": "elementary", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detection of impacket's wmiexec example, used by attackers to execute commands remotely.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e918b614-f50d-4717-84de-91e3339a89c5", "name": "Exploiting SetupComplete.cmd CVE-2019-1378", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378.", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)", "execution - Windows Command Shell (T1059.003)", "execution - Hijack Execution Flow (T1574)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "WithSecure Elements", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f99c576f-dd7e-4392-80a0-9b597198f966", "name": "Suspicious LDAP-Attributes Used", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. Careful as the 5136 is only on domain controllers and needs to be activated through the Group Policy.", "attack": ["command-and-control - Application Layer Protocol (T1071)", "command-and-control - Protocol or Service Impersonation (T1001.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b51527e0-ab3a-49ea-8191-f704033a823a", "name": "Meterpreter or Cobalt Strike Getsystem Service Installation", "effort": "elementary", "data_sources": ["DLL monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting some of the techniques being used (technique 1,2 and 5).", "attack": ["privilege-escalation - Token Impersonation/Theft (T1134.001)", "privilege-escalation - Create Process with Token (T1134.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0ad5f1bf-034e-4a90-868f-a463ac06dcd7", "name": "Searchindexer Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Search Indexer was executed by a non-legitimate parent process. Search Indexer is the Windows service that handles indexing of your files for Windows Search.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "1ac03946-f9fa-490c-ab23-88b4514e733c", "name": "Eventlog Cleared", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Some threat groups tend to delete local EventLogs (Security being the most common one to be deleted) using certain utilities. The EventID 517 is old and 1102 should be used for this instead on newer Windows versions.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "5a402e06-6718-4822-92c7-ce379b982f86", "name": "Process Herpaderping", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection of process herpaderping using Sysmon Event ID 25. It detects that an image has been locked for access. Several processes have been excluded to avoid FPs.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Azure Windows", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "d2d80d00-b87b-4822-9434-254a3503c8e0", "name": "Domain Group And Permission Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process use of network", "Process command-line parameters"], "description": "Detects adversaries attempts to find domain-level groups and permission settings. Commands such as net group /domain of the Net utility can list domain-level groups The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Wizard Spider, FIN6, and other groups used net in their campaigns.", "attack": ["discovery - Domain Groups (T1069.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b0d3527c-a745-11eb-b949-f0d5bf514442", "name": "Potential RDP Connection To Non-Domain Host", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects logons using NTLM to hosts that are potentially not part of the domain using RDP (TermSrv). Event ID 8001 corresponds to outgoing NTLM authentication traffic and TermSrv stands for RDP Terminal Services Server. Check if the contacted host is legitimate. To use this detection rule, enable logging of outbound NTLM authentications on all domain controllers, using the following Group Policy (GPO) - Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Define this policy setting: Audit all.", "attack": ["lateral-movement - Pass the Hash (T1550.002)"], "intake-formats": ["Azure Windows", "Fortinet FortiGate", "Sekoia.io Endpoint Agent", "Azure Network Watcher [DEPRECATED]", "AWS CloudTrail", "Palo Alto Prisma access", "Palo Alto NGFW", "F5 BIG-IP", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "bf1252f1-4928-4071-956d-7372052c28c7", "name": "DC Shadow via Service Principal Name (SPN) creation", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects DCShadow via new Service Principal Name (SPN) creation ", "attack": ["defense-impairment - Rogue Domain Controller (T1207)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "707f4ef4-cacb-4c6f-4fea-13c7e3d17741", "name": "Impacket Addcomputer", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects suspicious computer account creation based on impacket default pattern", "attack": ["persistence - Domain Account (T1136.002)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "Microsoft 365 / Office 365", "RSA SecurID", "Windows Log Insight", "CyberArk Audit Logs", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8722a2e7-4525-4b2e-b54e-21dc67702b4c", "name": "Rebooting", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when forcing a computer to shutdown.", "attack": ["impact - System Shutdown/Reboot (T1529)"], "intake-formats": ["SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "6fc9340c-748c-4f20-b1d1-a439058eebb7", "name": "Metasploit PSExec Service Creation", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects Metasploit service creation when using the PSExec module. The ImagePath here is usually a malicious command line using powershell.exe and/or cmd.exe.", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "4a7dbc0c-6baa-4a42-8e2e-ad6b5805c1f2", "name": "Copy Of Legitimate System32 Executable", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "A script has copied a System32 executable.", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3500f23e-d07a-4ad7-ab23-97f5f5c9f17b", "name": "Antivirus Password Dumper Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports a password dumper. This detection relies on Windows Defender events logs. This is based on Windows Defender logs (Event ID 1116 and 1117).", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["HarfangLab EDR", "Stormshield SES", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7a0c45d8-0abf-4e1a-8ead-ab140617ef82", "name": "PowerShell Malicious Nishang PowerShell Commandlets", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Commandlet names and arguments from the Nishang exploitation framework.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d6fdcde0-b389-437e-bfd2-f4f7c29163e9", "name": "WMI Install Of Binary", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f394122b-8340-42ad-9631-4d04fee9c876", "name": "NetNTLM Downgrade Attack", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs", "Windows Registry"], "description": "Detects changes in Windows Registry key (LMCompatibilityLevel, NTLMMinClientSec or RestrictSendingNTLMTraffic) which can lead to NetNTLM downgrade attack. The rule requires to log registry keys creation or update, it can be done using Sysmon's Event ID 12,13 and 14.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "persistence - Modify Registry (T1112)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e49ab6e6-0fb7-47f8-95b0-404ec3b41b31", "name": "Suspicious Control Process", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects suspicious execution of control.exe process when used to execute a DLL file.", "attack": ["stealth - Control Panel (T1218.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "47447d4a-6b1b-415a-a01c-fb45b160d515", "name": "UAC Bypass Via Sdclt", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects changes to HKCU\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand by an attacker in order to bypass User Account Control (UAC)", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "14bb5424-8720-11eb-8dcd-0242ac130003", "name": "Exfiltration And Tunneling Tools Execution", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Execution of well known tools for data exfiltration and tunneling", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)", "command-and-control - Protocol Tunneling (T1572)", "command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8c2a5ca5-ad13-412d-bd58-188c6a3c24ff", "name": "Svchost DLL Search Order Hijack", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects svchost process hijacking through DLL loading. IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.", "attack": ["execution - DLL Side-Loading (T1574.002)", "execution - DLL (T1574.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e0df67ae-832c-4706-a8db-eb17fd26116e", "name": "Narrator Feedback-Hub Persistence", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "The Windows 10 Narrator's Feedback-Hub registry key has been modified which could be done by an attacker for persistence purposes. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13). Careful since the SwiftOnSecurity Sysmon's configuration needs to be changed to log for this specifically.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "33f170fc-358a-4364-a155-5470921f6d6b", "name": "Default Encoding To UTF-8 PowerShell", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0f6133f4-7b86-45e3-8b64-6f3402090a82", "name": "AzureEdge in Command Line", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of azureedge in the command line.", "attack": ["discovery - Cloud Service Discovery (T1526)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e25a1cc6-7c0d-47f7-8fe0-cd4032193474", "name": "StoneDrill Service Install", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky ", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "430bd854-6cb5-457c-af50-05243ffb1e56", "name": "Suspicious PowerShell Invocations - Generic", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters"], "description": "Detects suspicious PowerShell invocation command parameters through command line logging or ScriptBlock Logging.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "16758c06-0570-455b-88ee-a169189099eb", "name": "Copying Browser Files With Credentials", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - Steal Web Session Cookie (T1539)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6bc97fc1-d93b-4dae-94dd-1346b06c5954", "name": "Active Directory Data Export Using Csvde", "effort": "elementary", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.", "attack": ["discovery - Domain Account (T1087.002)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d946bb55-1c73-4203-9d4d-1d1f48f7c80a", "name": "MOFComp Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects rare usage of the Managed Object Format (MOF) compiler on Microsoft Windows. This could be abused by some attackers to load WMI classes.", "attack": ["execution - CMSTP (T1191)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a0802a29-5197-4a83-8081-23941bbcb490", "name": "Winlogon wrong parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Winlogon.exe is a process that performs the Windows login management function, handling user login and logout in Windows. You see this process in action whenever the operating system asks you for your username and password. It is also responsible for loading user profiles after login, this supports automated login (when relevant) and keyboard and mouse inactivity monitoring to decide when to invoke the screen saver. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "53519203-520a-4f47-b1b5-41aed5e3cbb8", "name": "Bloodhound and Sharphound Tools Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.", "attack": ["discovery - Local Account (T1087.001)", "discovery - Domain Account (T1087.002)", "discovery - Domain Trust Discovery (T1482)", "discovery - Local Groups (T1069.001)", "discovery - Domain Groups (T1069.002)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "Windows Log Insight", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9fe468be-f66d-47cb-8756-425ca517a6ba", "name": "Gpresult Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects when an account uses gpresult to get information on gpo.", "attack": ["discovery - Permission Groups Discovery (T1069)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "7c1f16c7-9684-4490-8939-66086c3f37ba", "name": "Equation Group DLL_U Load", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Loaded DLLs"], "description": "Detects a specific tool and export used by EquationGroup", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "25fff605-a108-44c0-b13e-776613d2353d", "name": "Antivirus Web Shell Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports a web shell. This is based on Windows Defender logs (Event ID 1116 and 1117).", "attack": ["privilege-escalation - Web Shell (T1100)", "persistence - Web Shell (T1505.003)"], "intake-formats": ["HarfangLab EDR", "Stormshield SES", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c0c5af8d-3d78-4369-a84b-4e576e6659dc", "name": "Microsoft Defender Antivirus Disable Services", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender through command line and registry.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "408f96f9-114f-4122-9092-54d10dbb7037", "name": "Webshell Creation", "effort": "master", "data_sources": ["File monitoring"], "description": "Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Trellix Network Security", "CyberArk Audit Logs", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Tanium", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "c7fc2046-a3cc-4811-b7e5-6f1fb0c4d680", "name": "Debugging Software Deactivation", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "PowerShell logs", "Windows event logs"], "description": "Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6b5bdbfa-2c94-4c26-aa61-b748054b8399", "name": "LSASS Memory Dump File Creation", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "dd84411b-7ab9-4d85-93f3-06c042308596", "name": "Process Hollowing Detection", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detection of process hollowing using Sysmon Event ID 25. It detects that an image has been replaced in a process memory.", "attack": ["privilege-escalation - Process Hollowing (T1055.012)"], "intake-formats": ["Azure Windows", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "86b0e54e-060f-4b0f-b428-d4fce3d30f34", "name": "Audit CVE Event", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects events generated by Windows to indicate the exploitation of a known vulnerability.", "attack": ["execution - Exploitation for Client Execution (T1203)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)", "stealth - Exploitation for Stealth (T1211)", "credential-access - Exploitation for Credential Access (T1212)", "lateral-movement - Exploitation of Remote Services (T1210)", "impact - Application or System Exploitation (T1499.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "4eec26d9-72e2-41a9-a92f-e551dd348cd4", "name": "Suspicious certutil command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. ", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "defense-impairment - Install Root Certificate (T1553.004)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3bb9a2c9-1684-4a87-b2a2-70b4be889b29", "name": "Logon Scripts (UserInitMprLogonScript)", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects creation or execution of UserInitMprLogonScript persistence method. The rule requires to log for process command lines and registry creations or update, which can be done using Sysmon Event IDs 1, 12, 13 and 14.", "attack": ["privilege-escalation - Logon Script (Windows) (T1037.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "95028c6e-b513-46a7-b758-1f8c1d65f5f8", "name": "Registry Checked For Lanmanserver DisableCompression Parameter", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects registry access for Lanmanserver\\Parameters. The check of the value DisableCompression could be a sign of an attack trying to exploit SMBGhost vulnerability (CVE-2020-0796).", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "915199d4-f42f-4185-8fd0-46da4dbc7c63", "name": "Correlation Impacket Smbexec", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "This rule detects the execution of smbexec via the relevant share pattern name ", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)", "execution - Service Execution (T1569.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "182a969f-1abf-406e-af0b-eb6a19f7e2f1", "name": "Suspicious DLL Loaded Via Office Applications", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects suspicious DLL being loaded by an Microsoft Office Product. Considered as suspects are some .NET DLLs, clr.dll, GAC DLL, DSParse (Active Directoryi services API) or Kerberos DLLs which may be loaded by MS Office processes when executing a potentially malicious macro. The prerequisite is to log the Sysmon Event ID 7 (DLL image loaded by process). ", "attack": ["execution - Malicious File (T1204.002)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f86b933e-e640-405b-856d-12c86f007ce3", "name": "Stop Backup Services", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs", "Windows Registry"], "description": "Detects adversaries attempts to stop backups services or disable Windows previous files versions feature. This could be related to ransomware operators or legit administrators. This rule relies Windows command line logging and registry logging, and PowerShell (ID 4103, 4104).", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "74e784d5-39ac-439c-9e98-1671c1e4621f", "name": "Suspicious PowerShell Invocations - Specific", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects suspicious PowerShell invocation command parameters.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8b93f48b-6386-4da6-ac41-1d02a66cf84a", "name": "Putty Sessions Listing", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects attempts to list Putty sessions through registry. To fully work, this rule requires to log registry accesses, which can be done with the Windows Event ID 4656 or 4663 but for that specific configuration is needed.", "attack": ["discovery - Query Registry (T1012)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "95df7b9f-9cf2-4f3e-8483-2765536198f7", "name": "Exchange Server Spawning Suspicious Processes", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Look for Microsoft Exchange Server\u2019s Unified Messaging service spawning suspicious sub-processes, suggesting exploitation of CVE-2021-26857 vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "f93f7e76-75f9-46ee-b5ea-796590165f24", "name": "NetSh Used To Disable Windows Firewall", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects NetSh commands used to disable the Windows Firewall", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a6bfcc15-894a-4b71-b74c-166f9da6b9b8", "name": "User Added to Local Administrators", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects when user accounts are added which could be legitimate activity or a sign of privilege escalation activity, Potential False-Positives Legitimate administrative activity WinRM clients", "attack": ["initial-access - Valid Accounts (T1078)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e835209b-7541-4ff8-945f-f0334fb71ef9", "name": "External Disk Drive Or USB Storage Device", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects external diskdrives or plugged in USB device.", "attack": ["initial-access - Replication Through Removable Media (T1091)", "initial-access - Hardware Additions (T1200)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2a0d8735-048c-4c95-a564-292bd1c456e1", "name": "PasswordDump SecurityXploded Tool", "effort": "elementary", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the execution of the PasswordDump SecurityXploded Tool", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Cisco IOS router and switch", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries"]}, {"uuid": "d45a3a30-7ac0-4cfe-b3d8-a685c0bdd61f", "name": "UAC Bypass Using Fodhelper", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects UAC bypass method using Fodhelper after setting the proper registry key, used in particular by Agent Tesla (RAT) or more recently by Earth Luscas. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e21b9130-02dc-4a13-98fd-4e06ecd922cf", "name": "Suspicious Outlook Child Process", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious child processes of Microsoft Outlook. These child processes are often associated with spearphishing activity.", "attack": ["initial-access - Phishing (T1566)", "execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "3de38882-4782-4d8e-a8a9-f5a7024729ea", "name": "Autorun Keys Modification", "effort": "master", "data_sources": ["Windows Registry"], "description": "Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3d6d8bbc-97b4-4daa-b5c4-0687fb836100", "name": "Suspicious DNS Child Process", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious processes spawned by the dns.exe process. It could be a great indication of the exploitation of the DNS RCE bug reported in CVE-2020-1350 (SIGRED).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "af70a0e0-6339-49ef-951f-34c4c9e2038c", "name": "User Account Deleted", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects local user deletion", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "49233d45-8c88-4679-86c3-d59b48f78eaf", "name": "SCM Database Handle Failure", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects non-system users failing to get a handle of the SCM database.", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f16976af-ea10-4655-aef6-970d1aca4276", "name": "Cookies Deletion", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when cookies are deleted by a suspicious process.", "attack": ["stealth - Indicator Removal (T1070)"], "intake-formats": ["Netskope", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "IBM iSeries", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "CyberArk Audit Logs", "Trend Micro Apex One / Vision One endpoint", "HarfangLab EDR", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "c5330fb6-1240-4863-a409-4459323ca65a", "name": "Advanced IP Scanner", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "File monitoring"], "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Systancia Cleanroom", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Trellix ePO (on-prem)", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "F5 BIG-IP", "VMware ESXi", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries", "WALLIX Bastion"]}, {"uuid": "4d7a9d37-1bd8-4397-96dc-3e7de476e099", "name": "CreateRemoteThread Common Process Injection", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects a possible process injection through CreateRemoteThread() which is spotted by EventID 8 from Sysmon and several EDRs. This rule has a list of process commonly being injected by the attackers that should be updated regularly.", "attack": ["privilege-escalation - Dynamic-link Library Injection (T1055.001)"], "intake-formats": []}, {"uuid": "009fb9b0-0947-4576-a6d9-3d0793e569c4", "name": "HTA Infection Chains", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "File monitoring"], "description": "Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Workspace / ChromeOS", "Cato Networks SASE", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "IBM iSeries", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows"]}, {"uuid": "5b4578b4-8c19-431a-a4f6-fc9e6223fb61", "name": "Suspicious PowerShell Keywords", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "eb960f64-2aac-462d-b069-e94deaed7568", "name": "Lateral Movement Remote Named Pipe", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects lateral movement and remote exec using named pipe over network. This requires Windows Security event logging with the File Share enable policy.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "ee62b40a-9d08-40c2-84a5-6dba38eb9182", "name": "Malware Persistence Registry Key", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects registry key used by several malware, especially Formbook spyware in two ways, either the Sysmon registry events, or the commands line.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)", "persistence - Registry Run Keys / Startup Folder (T1060)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d62f9d25-1914-44a6-8604-4a99c8baf13c", "name": "Mshta Suspicious Child Process", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects the use of various web request methods executed remotely via Windows PowerShell", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "fc0f3fd8-c16c-498b-87b3-c5675bd50730", "name": "Control Panel Items", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the malicious use of a control panel item", "attack": ["stealth - Control Panel (T1218.002)", "persistence - Event Triggered Execution (T1546)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "1c847dec-7c13-46f6-a89d-2ad9fef50ee5", "name": "Remote Monitoring and Management Software - Atera", "effort": "master", "data_sources": ["Process monitoring", "Network protocol analysis", "Services", "Windows Registry", "File monitoring"], "description": "Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "OCSF", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Systancia Cleanroom", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Cloudflare WAF events", "TEHTRIS EDR", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "BIND", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "Cisco IOS router and switch", "Trellix EPO [ALPHA]", "Trellix ePO (on-prem)", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "Unbound", "SonicWall Firewall", "ESET Protect", "Google Kubernetes Engine", "Cato Networks SASE", "Imperva WAF", "CyberArk Audit Logs", "ArubaOS Switch", "HAProxy", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Palo Alto NGFW", "Sophos Firewall", "Netskope", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos EDR", "WatchGuard Firebox", "Squid", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Bitdefender GravityZone", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "dd415468-8376-4da8-aabc-8ad565971e46", "name": "Trickbot Malware Activity", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "DLL monitoring", "Loaded DLLs"], "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe.", "attack": ["discovery - Domain Trust Discovery (T1482)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bee5faff-703f-4cda-9e2e-8555bc4feff4", "name": "Active Directory Database Dump Via Ntdsutil", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the dump of ntdis.dit database by using the utility ntdsutil.exe. NTDS.dit database stores Active Directory data, including passwords hashes for all users in the domain.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Check Point NGFW", "Windows", "Sekoia.io Endpoint Agent", "Forcepoint Next-Generation Firewall"]}, {"uuid": "80c85cbc-676f-472f-93a8-8c9fdce571e5", "name": "NTDS.dit File In Suspicious Directory", "effort": "advanced", "data_sources": ["File monitoring", "Windows event logs"], "description": "The file NTDS.dit is supposed to be located mainly in C:\\Windows\\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Trellix Network Security", "CyberArk Audit Logs", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Tanium", "Palo Alto NGFW", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Windows", "Elastic Winlogbeat"]}, {"uuid": "20a3eca9-7195-4b47-9592-89a0d4821bc5", "name": "AccCheckConsole Executing Dll", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "db8c0233-587a-4b72-b7c7-58ac8aa6cdde", "name": "Microsoft Defender Antivirus Threat Detected", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus", "File monitoring"], "description": "Detection of a windows defender alert indicating the presence of potential malware", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "0050de2e-5686-4ff5-a5a3-945db3704a6a", "name": "Aspnet Compiler", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the starts of aspnet compiler.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Keycloak Events", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "VMware ESXi", "Elastic AuditBeat Linux", "Juniper NGFW", "Barracuda CloudGen Firewall", "SentinelOne Cloud Funnel 2.0", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "WithSecure Elements", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3cac256a-24e5-4987-8e5c-9bb1ef453ef0", "name": "Evil Winrm Modules Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "This rule detects suspicious PowerShell activity consistent with the Evil-WinRM remote shell being executed via the Windows Remote Management host process", "attack": ["stealth - Clear Mailbox Data (T1070.008)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "ecdad0a7-c7da-4076-9465-7354ba48c5a6", "name": "WMI Event Subscription", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects creation of WMI event subscription persistence method ", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)"], "intake-formats": ["Sekoia.io Endpoint Agent", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "492f8443-7229-457d-a233-75a53d9f1842", "name": "Suspicious Regsvr32 Execution", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious regsvr32.exe executions, either regsvr32 registering a DLL in an unusual repository (temp/, appdata/ or public/), or regsvr32 executed by an unusual parent process, or regsvr32 executing an unusual process, or regsvr32 registering a media file and not a DLL (as seen in IcedID campaigns), or regsvr32 registering a ocx file in appdata/.", "attack": ["stealth - Regsvr32 (T1218.010)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9b9c64f9-13b7-49ca-bf25-aebd1f980d80", "name": "Microsoft Office Startup Add-In", "effort": "elementary", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). The rule requires File Creation logging to work, which can be done using Sysmon Event ID 11.", "attack": ["persistence - Add-ins (T1137.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "175e2a58-096a-4b25-891f-5fbe7848ae8f", "name": "Microsoft Defender Antivirus Restoration Abuse", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3f741476-a472-45e4-b1ca-13d5dcc27954", "name": "Exfiltration Via Pscp", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of pscp which is a file sharing services.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f10d26f4-594e-4833-98f0-82e23440bcf4", "name": "Commonly Used Commands To Stop Services And Remove Backups", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific commands used regularly by ransomwares to stop services or remove backups", "attack": ["impact - Service Stop (T1489)", "impact - Inhibit System Recovery (T1490)", "impact - Data Destruction (T1485)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6704b0b1-e74f-4af7-adfa-8a4b4396c343", "name": "WMIC Uninstall Product", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects products being uninstalled using WMIC command.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "execution - Windows Management Instrumentation (T1047)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "bf922381-c7ae-43a0-b92f-4e9a72b0b5f3", "name": "STRRAT Scheduled Task", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr \"C:\\Users\\Admin\\AppData\\Roaming\\SAMPLENAME.jar\"'", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "1425baaa-5292-4cba-9104-437a4dbff2c7", "name": "Rare Logonui Child Found", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It not only makes it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This process could create a child process but it is very rare and could be a signal of some process injection.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7b4dabe9-63e4-4361-8623-f47d96649722", "name": "Hiding Files With Attrib.exe", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects usage of attrib.exe to hide files from users.", "attack": ["stealth - Hidden Files and Directories (T1564.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "78136c52-61aa-4396-aff4-7559166be5d4", "name": "Netsh RDP Port Opening", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "f4f5142a-a3bd-4fa9-914d-64eef43ebcf6", "name": "Correlation Suspicious Authentication Coercer Behavior", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detect a possible NTLM Relay attack combine with authent coerce", "attack": ["credential-access - Forced Authentication (T1187)", "collection - Adversary-in-the-Middle (T1557)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "65b1014b-83be-4f8a-bf55-48faa6e2a474", "name": "CVE-2019-0708 Scan", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the use of a scanner that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep.", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "49eef639-909a-4447-94ff-2574ad360e24", "name": "HackTools Suspicious Names", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Quick-win rule to detect the default process names or file names of several HackTools.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Cisco IOS router and switch", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries"]}, {"uuid": "6b5e37d7-d596-47b9-990a-fa8ea86f09d5", "name": "Successful Overpass The Hash Attempt", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "attack": ["lateral-movement - Pass the Hash (T1550.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "00db53fd-dbb2-4a4d-affb-2e76600a833b", "name": "Svchost Modification", "effort": "advanced", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects the modification of svchost in the registry.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e504890a-27fe-47fb-a998-91ef7352f1a5", "name": "Powershell Web Request And Windows Script", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects the use of PowerShell web request method combined with Windows Script utilities. This has been observed being used by some malware loaders.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6a9ff610-8704-4640-9697-412443882dee", "name": "Suspicious New Printer Ports In Registry", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects a suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048. The CVE-2020-1048 consists in gaining persistence, privilege by abusing a flaw in the Print Spooler service to execute a payload whose path is stored in the registry key. To fully use this rule, prerequesites are logging for Registry events in the Sysmon configuration (events 12, 13 and 14).", "attack": ["execution - Exploitation for Client Execution (T1203)", "persistence - Modify Registry (T1112)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "af6a3529-3482-4583-9fa7-0b74d899c959", "name": "Clear EventLogs Through CommandLine", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces.", "attack": ["stealth - Indicator Removal (T1070)", "stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d12fcd50-6c26-48b3-9dcf-52a8e59bf1fb", "name": "Microsoft Defender Antivirus Disable SecurityHealth", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender SecurityHealth through command line, PowerShell scripts, and registry. To fully use this rule Windows Registry logging is recommended.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "58b64ad1-b954-4ed7-9542-1983b4ec5e2c", "name": "WMI Persistence Script Event Consumer File Write", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "Detects file writes through WMI script event consumer.", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "IBM AIX", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "Juniper NGFW", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Windows", "Elastic Winlogbeat"]}, {"uuid": "19628af2-d55d-4b46-a405-0fcdc28bcced", "name": "Suspicious Driver Loaded", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Checks the registry key for suspicious driver names that are vulnerable most of the time and loaded in a specific location by the KDU tool from hfiref0x. Some drivers are used by several SysInternals tools, which should have been whitelisted in the filter condition. The driver named \"DBUtilDrv2\" has been removed as it caused too many false positives unfortunately. It can be added under \"drv_name\" if more coverage is wanted. This rule needs registry key monitoring (can be done with Sysmon Event IDs 12,13 and 14).", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "37c8265f-0e4b-47c1-b521-94d242ff39f6", "name": "PowerShell Downgrade Attack", "effort": "elementary", "data_sources": ["PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "196b2bd4-6a90-4a40-b093-7f4de21950e5", "name": "Secure Deletion With SDelete", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects renaming of file while deletion with SDelete tool. SDelete is a tool that permits to securely delete files by overwriting them (no recovery possible). Few threat actors are using it to delete traces of their malware.", "attack": ["stealth - File Deletion (T1070.004)", "stealth - Indicator Removal from Tools (T1027.005)", "impact - Data Destruction (T1485)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "a0befae8-e0f4-4b71-ae10-8265daf21126", "name": "Account Tampering - Suspicious Failed Logon Reasons", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. Depending on the network environment some failed logons Status can be added to the list.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "2318a458-042b-4b08-af33-67b0abc735b4", "name": "Network Share Discovery", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. This technique is frequently leveraged by threat actors such as APT32, APT41, Wizard Spider. But also, through the use of some malware such as Cobalt Strike, Empire, PlugX and Ramsay.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "2f26e29b-b3fb-4681-b3ee-3a79d2207862", "name": "Suspicious desktop.ini Action", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "attack": ["privilege-escalation - Shortcut Modification (T1547.009)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Kaspersky Endpoint Security", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "371b49a4-7e11-48e7-b0c7-ab78ef7c6101", "name": "ZIP LNK Infection Chain", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "File monitoring"], "description": "Detection of an ZIP download followed by a child-process of explorer, followed by multiple Windows processes.This is widely used as an infection chain mechanism.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "Palo Alto Prisma access", "IBM AIX", "Watchguard EPDR", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Workspace / ChromeOS", "Cato Networks SASE", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Varonis Data Security", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch"]}, {"uuid": "d322ad1c-37ff-4b46-b8ca-532532776693", "name": "Suspicious Outbound Kerberos Connection", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "106dbe22-de30-4d04-9df1-ee31f8dd6dd3", "name": "Alternate PowerShell Hosts Pipe", "effort": "advanced", "data_sources": ["PowerShell logs", "Process monitoring", "Windows event logs", "Named Pipes"], "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe. Prerequisites are logging for PipeEvents in Sysmon config.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7f75a483-640a-4305-b1e9-e1de971574c0", "name": "Suspicious Microsoft Defender Antivirus Exclusion Command", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "34eb0d4a-dd99-48ae-ae49-a13eb8e31ea4", "name": "Outlook Registry Access", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information.", "attack": ["collection - Local Email Collection (T1114.001)", "credential-access - Credentials in Registry (T1552.002)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6bc3ae62-4eaf-419d-a7b5-eb6779d5a565", "name": "Account Removed From A Security Enabled Group", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "e1ca8aec-fb1f-4db5-a37b-67fd092447d9", "name": "Credential Dumping Tools Service Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects well-known credential dumping tools execution via service execution", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)", "credential-access - DCSync (T1003.006)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2ace2370-55e3-4011-b7d5-06dbeae79ef6", "name": "Credentials Extraction", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "This rule aims to detect the use of a specific command to access some credentials without using mimikatz or another tool.", "attack": ["credential-access - Unsecured Credentials (T1552)", "credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["VMware ESXi", "Juniper NGFW", "Sekoia.io Endpoint Agent", "Elastic AuditBeat Linux", "SentinelOne Cloud Funnel 2.0", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Windows"]}, {"uuid": "1054ba23-0b61-4a63-a6cc-97002c866b16", "name": "Dumpert LSASS Process Dumper", "effort": "elementary", "data_sources": ["Windows event logs", "File monitoring"], "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["OpenSSH", "Sekoia.io Endpoint Agent", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows"]}, {"uuid": "f3f866f5-6d65-4bc1-a4e2-30dd7c170d78", "name": "Abusing Azure Browser SSO", "effort": "master", "data_sources": ["Loaded DLLs", "Windows event logs"], "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. This technique leverages the COM object (CoCreateInstance), which loads the DLL \"C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll\", to get an authentication token. Monitoring the load of this DLL can detect an attacker abusing this technique. More details on this technique are available in the article in the source section. The prerequisite is to log for Loaded DLLs, it can be done using the Sysmon Event ID 7 (DLL image loaded by process). ", "attack": ["credential-access - Exploitation for Credential Access (T1212)", "credential-access - Steal Application Access Token (T1528)", "lateral-movement - Application Access Token (T1550.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "5603097b-5574-41f3-bede-d882cc772b7a", "name": "Suspicious Cmd File Copy Command To Network Share", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Copy suspicious files through Windows cmd prompt to network share", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6f353c04-8b20-42e3-960d-b9aec37b9fce", "name": "Suspicious CodePage Switch with CHCP", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects a code page switch in command line", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0aa746ea-2f44-45cf-9747-3e1d180d4b09", "name": "Windows Credential Editor Registry Key", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the use of Windows Credential Editor (WCE). Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "c7c06923-5ab4-43c4-99ff-520720a06819", "name": "CertOC Loading Dll", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "dc9fa397-87af-4df4-85f1-ead2644e2241", "name": "Failed Logon Followed By A Success From Public IP Addresses", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "A login from a public IP can indicate a misconfigured firewall or network boundary. The detection look for 5 or more failed attemps followed by a successfull one. The sekoia.tags are used to filter internal Ipv4 addresses.", "attack": ["initial-access - Valid Accounts (T1078)", "initial-access - Exploit Public-Facing Application (T1190)", "initial-access - External Remote Services (T1133)"], "intake-formats": []}, {"uuid": "b4fca87a-a0e6-4024-8680-72c9b2fdaf9b", "name": "TrustedInstaller Impersonation", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "The rule detects attempts to impersonate TrustedInstaller. TrustedInstaller rights could allow a threat actor to delete or modify protected file or create/delete/modify files in protected folders. This technique is used by threat actors to disable Windows Defender.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "74151423-36bd-4f3f-634d-24b4f47ea186", "name": "Correlation Internal Kerberos Password Spraying", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect multiple Kerberos authentication failed on several account from one source", "attack": ["credential-access - Password Spraying (T1110.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7f215f85-5d0d-465c-9879-dc5ff6511fed", "name": "AutoIt3 Execution From Suspicious Folder", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are \"Program Files\" and \"AppData\\\\Local\". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts.", "attack": ["stealth - Masquerading (T1036)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Akamai Guardicore On-Prem [BETA]", "CrowdStrike Falcon", "ESET Protect", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Daspren Parad", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Broadcom/Symantec Endpoint Security", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "5a6e479e-f2f0-45bb-8112-9b9e1417a72c", "name": "RDP Port Change Using Powershell", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects RDP port configuration change using a PowerShell command such as 'Set-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" -Name PortNumber -Value XXX Restart-Service termservice -force'. Threat actors can change RDP to another port to bypass protections, avoid detection based on the port, or to take full control of the system. ", "attack": ["persistence - Modify Registry (T1112)", "command-and-control - Non-Standard Port (T1571)", "lateral-movement - Remote Desktop Protocol (T1021.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7b350761-eb2f-4eab-ad5f-48619c99fb01", "name": "Suncrypt Parameters", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters"], "description": "Detects SunCrypt ransomware's parameters, most of which are unique.", "attack": ["impact - Data Encrypted for Impact (T1486)", "impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c3ff4445-8bc7-4604-af3b-414e60072450", "name": "Microsoft Windows Active Directory Module Commandlets", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects use of commandlets linked to the AD Module.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows"]}, {"uuid": "ac2a3f0a-fdc2-4c77-8c94-f4e211853745", "name": "PowerShell EncodedCommand", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.", "attack": ["execution - PowerShell (T1059.001)", "stealth - Obfuscated Files or Information (T1027)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cd520037-1575-43c4-b1d1-543a6c87fc12", "name": "Correlation PowerShell Suspicious DLL Loading", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs", "PowerShell logs"], "description": "Detect some suspicious Windows DLL Loading where some PowerShell activity from the binary itself, followed by the same DLL process spawning other process. This is related to the usage of a PowerShell Named Pipe IPC from the DLL.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Juniper NGFW", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e3fe6d7d-7609-4641-9c52-62ccf578d35a", "name": "Msdt (Follina) File Browse Process Execution", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects various Follina vulnerability exploitation techniques. This is based on the Compatability Troubleshooter which is abused to do code execution.", "attack": ["execution - Exploitation for Client Execution (T1203)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c81e28f7-ff79-4407-a214-9139b8717d8c", "name": "SquirrelWaffle Malspam Execution Loading DLL", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects cscript running suspicious command to load a DLL. This behavior has been detected in SquirrelWaffle campaign.", "attack": ["execution - Malicious File (T1204.002)", "execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "49723ee1-5b07-4d70-b044-c215a1378e64", "name": "Elevated Shell Launched By Browser", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when openwith.exe is launched with privileges followed by a browser launching an elevated shell. Related to the CVE-2024-38014.", "attack": ["execution - Hijack Execution Flow (T1574)", "resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "CrowdStrike Falcon", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "HarfangLab EDR", "Microsoft 365 / Office 365", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows"]}, {"uuid": "02ff3e37-a71c-4304-b189-9aa81a6bff68", "name": "Schtasks Suspicious Parent", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects schtasks started from suspicious and/or unusual processes.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "74f9cbff-7200-47a0-8c27-118ff10a3ec9", "name": "HackTools Suspicious Process Names In Command Line", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5adfa036-938e-4d7f-bc3c-9c503d601e85", "name": "WMI Fingerprint Commands", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects attacker fingerprint activities based on the correlation of specific WMIC commands. This has been observed with Aurora malware.", "attack": ["execution - Windows Management Instrumentation (T1047)", "discovery - System Information Discovery (T1082)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "c0307ec4-9ffc-4d67-be9f-24a5cad89d1a", "name": "Disable Windows Defender Credential Guard", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects registry keys being changed to disable Windows Defender Credential Guard. The rule requires to log Registry Keys modifications or creations, which can be done using Sysmon Event IDs 12,13 and 14.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0763de72-1a2a-4962-b2c1-f189abd4bfbe", "name": "Explorer Process Executing HTA File", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam.", "attack": ["execution - Malicious File (T1204.002)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d0e46c8a-7e0b-4955-95b5-0e11c0ae6d3e", "name": "Disable Workstation Lock", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Registry change in order to disable the ability to lock the computer by using CTRL+ALT+DELETE or CTRL+L. This registry key does not exist by default. Its creation is suspicious and the value set to \"1\" means an activation. It has been used by FatalRAT, but other attacker/malware could probably use it. This rule needs Windows Registry changes (add,modification,deletion) logging which can be done through Sysmon Event IDs 12,13,14.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a46e93c0-1224-4a15-85c9-93144c6bdeaa", "name": "Netsh Port Opening", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that opens a specific port. Can be used by malware or attackers for lateralisation/exfiltration (e.g. SMB/RDP opening).", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a91895dd-6bec-4eff-a763-bcfdff16bf53", "name": "Smbexec.py Service Installation", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)", "execution - Service Execution (T1569.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "c49423f5-775b-4244-84e0-d905d61bf13d", "name": "Enabling Restricted Admin Mode", "effort": "elementary", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when the restricted admin mode is enabled.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "43fab0ee-f33c-4816-a8d8-97cf6687682c", "name": "Remote Task Creation Via ATSVC Named Pipe", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects remote task creation via at.exe or API interacting with ATSVC Named Pipe. This requires Windows Security event logging with the File Share policy.", "attack": ["privilege-escalation - At (T1053.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "233f1e82-be44-4e00-98b6-de1a3d2f9071", "name": "Process Memory Dump Using Createdump", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of createdump.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "101c3203-d492-4294-9603-5b783c89fa7a", "name": "Rubeus Register New Logon Process", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects potential use of Rubeus through registering a new logon process. This rule needs the EventID 4611, which can be configured through Group Policies (Audit Security System Extension)", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "67b48f71-fc80-48fd-a2c6-6329834aa880", "name": "Rare Lsass Child Found", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "edf13c0b-dbd3-4c96-94ce-edf31ffe8974", "name": "Windows Defender Deactivation Using PowerShell Script", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects attempts to deactivate Windows Defender with PowerShell using ScriptBlockLogging.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "b6d9bb54-a771-4a78-a8fc-8e31c965b05a", "name": "MSBuild Abuse", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Windows event logs", "Process use of network"], "description": "Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload.", "attack": ["execution - MSBuild (T1127.001)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]", "CrowdStrike Falcon", "NucleonEDR", "Google Kubernetes Engine", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "55b184b8-694a-4c94-b562-212653236fb5", "name": "Suspicious CommandLine Lsassy Pattern", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects the characteristic lsassy loop used to identify lsass PIDs", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b809c668-c8c7-4380-bf13-ff74783e72e9", "name": "Antivirus Exploitation Framework Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework. This is based on Windows Defender logs (Event ID 1116 and 1117). ", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["HarfangLab EDR", "Stormshield SES", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c08af59a-0d3a-4138-a345-acf3a8819bfb", "name": "Suspicious Netsh DLL Persistence", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.", "attack": ["persistence - Netsh Helper DLL (T1546.007)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0f617c02-96f9-4d94-add6-8825a809f1ae", "name": "Dynwrapx Module Loading", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects the loading of DynamicWrapperX (Dynwrapx). It is used by some malware in their infection chain and could help to detect its usage from vbs/wscript/cscript scripts. This is based on Microsoft Windows Sysmon events (Event ID 7).", "attack": ["stealth - Regsvr32 (T1218.010)", "privilege-escalation - Dynamic-link Library Injection (T1055.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b4706924-a715-4122-b1ae-878be138d08e", "name": "Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects persistence registry keys. Logging for Registry events is needed, it can be done in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Image File Execution Options Injection (T1546.012)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e030b7df-fb87-4a71-bf83-71c7d72ca76b", "name": "Suspicious Network Args In Command Line", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection on some commonly observed suspicious processes command lines using HTTP schema with port 443.", "attack": ["command-and-control - Non-Standard Port (T1571)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6e951873-3b53-4f9f-880a-17ace5f961be", "name": "Microsoft IIS Module Installation", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the installation of a new IIS module from the command line. It can used used to backdoor an IIS/OWA/Sharepoint server.", "attack": ["persistence - Server Software Component (T1505)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "39e2409d-28c4-424c-b80f-b0a408542210", "name": "Mimikatz LSASS Memory Access", "effort": "advanced", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detection of in-memory Mimikatz by focusing on processes opening the Local Security Authority (Lsass.exe) process and reading the memory contents of it. This probably means that Mimikatz has been executed on the host, meaning the attacker already has high privileges and is looking to dump credentials, most likely for lateral movement or privilege escalation purposes. The rule requires Sysmon EventID 10 to work as it is based on the GrantedAccess mask.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "3c305f20-1b2f-465c-b39f-5f9992cd9a80", "name": "Shadow Copies", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects command line used to create and list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104).", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "50d57ddd-e560-48d8-9529-4e303d3bd2a2", "name": "BazarLoader Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "15c00b38-8b0d-454b-8183-5fb451cb0f7a", "name": "Wdigest Enable UseLogonCredential", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects modification of the Windows Registry value of HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential. This technique is used to extract passwords in clear-text using WDigest. The rule requires to log for Registry Events, which can be done using Sysmon Event IDs 12, 13 and 14.", "attack": ["persistence - Modify Registry (T1112)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cb0a6215-874e-4a5b-8feb-571ddf3bfcee", "name": "Reconnaissance Commands Activities", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Based on Cynet, Microsoft and Kaspersky analysis of Qakbot, this rule tries to detect some discovery TTPs.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)", "discovery - Account Discovery (T1087)", "discovery - System Network Configuration Discovery (T1016)", "discovery - System Network Connections Discovery (T1049)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "a51ad4d2-3e22-4c27-a527-84b5d78d1736", "name": "Winword Document Droppers", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific process characteristics of word document droppers. This techniques has been used by Maze ransomware operators.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "2c3fb333-6a68-40d7-9ced-dfaa94265187", "name": "Remote Enumeration Of Lateral Movement Groups", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects remote sessions that list the members of four local groups relevant to lateral movement. This behavior is common in Active Directory mapping tools such as SharpHound. Legitimate Active Directory auditing and monitoring tools (e.g. Varonis, Netwrix) will also be detected, and can by excluded by applying an alert filter on the SID of the service account (user.id).", "attack": ["discovery - Local Account (T1087.001)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7ba47e1a-348d-4601-8615-58e563faf382", "name": "XSL Script Processing And SquiblyTwo Attack", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detection of an attack where adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Another variation of this technique, dubbed \"Squiblytwo\", involves to invoke JScript or VBScript within an XSL file.", "attack": ["execution - Windows Management Instrumentation (T1047)", "stealth - XSL Script Processing (T1220)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5fd5c30d-0305-49b2-a1a7-e977da5293e7", "name": "RTLO Character", "effort": "elementary", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects RTLO (Right-To-Left character) in file and process names.", "attack": ["stealth - Right-to-Left Override (T1036.002)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Cisco IOS router and switch", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries"]}, {"uuid": "04ca5e61-a17e-4609-9e20-08d002c1d66f", "name": "Suspicious Commands From MS SQL Server Shell", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detection of some shell commmands run from a cmd executed by Microsoft MS SQL Server. It could be a sign of xp_cmdshell allowed on the MS-SQL server.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "SentinelOne Cloud Funnel 2.0", "Tanium", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "d0c8df42-02b4-4a4a-a316-334121cae30c", "name": "Suspicious DLL Loading By Ordinal", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018.", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9b0a9e42-2aa0-422f-958f-0285be1e208d", "name": "WMIC Command To Determine The Antivirus", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "WMI Objects"], "description": "Detects WMIC command to determine the antivirus on a system, characteristic of the ZLoader malware (and possibly others)", "attack": ["discovery - Security Software Discovery (T1518.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "57f58e5c-3711-4e22-834d-5aedd5cf6efa", "name": "JS PowerShell Infection Chains", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detect JS script execution who run a PowerShell download and exec command_line", "attack": ["execution - JavaScript (T1059.007)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Cisco NX-OS", "Stormshield SES", "Windows"]}, {"uuid": "3520662c-ca99-49e8-be7a-214922285dc5", "name": "PowerShell AMSI Deactivation Bypass Using .NET Reflection", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b870d799-eac6-4e02-8f38-e796ec8dd09b", "name": "Qakbot Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects possible Qakbot persistence using schtasks.", "attack": ["privilege-escalation - At (T1053.002)", "privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3b9aaf19-9776-4ee2-9311-c38cc12233af", "name": "Cmd.exe Used To Run Reconnaissance Commands", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process use of network", "Windows event logs"], "description": "Detects command lines with suspicious args", "attack": ["discovery - System Network Connections Discovery (T1049)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "d29bcb40-cba9-42c3-b9cb-a4798bb1331e", "name": "Cobalt Strike Default Service Creation Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects Cobalt Strike usage from an existing beacon when attacker tries to elevate or move laterally through a service creation.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "dae12807-25a0-4f02-ac05-eb3fa137e5aa", "name": "Security Support Provider (SSP) Added to LSA Configuration", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the addition of a SSP to the registry. This is commonly used for persistence. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. Logging for Registry events is needed for this rule to work (this can be done through Sysmon EventIDs 12 and 13).", "attack": ["privilege-escalation - Security Support Provider (T1547.005)"], "intake-formats": ["Azure Windows", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a8f41ba4-ad15-4a4e-862a-f44faf2dc9a8", "name": "Wininit Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Windows Boot is a background application launcher for the Windows operating system. Wininit.exe is responsible for performing the Windows initialization process. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "CrowdStrike Falcon", "HarfangLab EDR", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "83ec9281-3078-409c-9905-ab9165495b9f", "name": "Backup Catalog Deleted", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "The rule detects when the Backup Catalog has been deleted. It means the administrators will not be able to access any backups that were created earlier to perform recoveries. This is often being done using the wbadmin.exe tool.", "attack": ["impact - Data Destruction (T1485)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "4e7b3d76-62cd-4694-a4c3-c0e33c663034", "name": "Microsoft Defender Antivirus Disabled Base64 Encoded", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line or scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3e4d0b72-9677-4e32-8640-2ee73ed63475", "name": "Denied Access To Remote Desktop", "effort": "intermediate", "data_sources": ["Windows event logs", "Process use of network"], "description": "Detects when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. This event can be generated by attackers when searching for available windows servers in the network. This rule detects only users from external network.", "attack": ["lateral-movement - Remote Desktop Protocol (T1021.001)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c4613798-aad5-40ea-81eb-31a10397dda3", "name": "Microsoft Exchange Server Creating Unusual Files", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs", "Process monitoring"], "description": "Look for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "Postfix", "CrowdStrike Falcon", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "70b511b8-9cbe-4fc0-832a-7b154e41b510", "name": "Csrss Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "f56c2457-f1bc-4cc2-87ee-658b76dd2e49", "name": "PowerShell NTFS Alternate Data Stream", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects writing data into NTFS alternate data streams from PowerShell. Needs Script Block Logging (Event ID 4104)", "attack": ["stealth - NTFS File Attributes (T1564.004)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "HarfangLab EDR", "Windows", "Elastic Winlogbeat"]}, {"uuid": "83a1d213-21c1-4d6b-8443-a120d5396388", "name": "Suspicious Hostname", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects suspicious hostnames such as ones with kali in it, to detect kali linux default hosts, but also other hostnames commonly used in attacks. List can be improved according to the environment.", "attack": ["command-and-control - Proxy (T1090)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "5044359e-ea46-4329-877b-7f9cbebe2830", "name": "Registry Value Changed Via Windows Run Dialog", "effort": "master", "data_sources": ["Windows Registry", "Process monitoring"], "description": "Detects when a user enters a suspicious url command in the windows run dialog. Could be linked to ClickFix. For this rule, you will need to add auditing permissions to this specific key and enable audit registry.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "afd2f25a-f332-42a8-9cdb-d6f74545cfe2", "name": "VSCode Tunnel Shell Exec", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Using VSCode and its remote tunnel access feature to run a terminal and execute commands. This could be a legit use, but also has been observed being used by some attackers.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Azure Windows", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Sophos Analysis Threat Center", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d79ac837-e255-4109-8e8f-371d0ccacf61", "name": "Powershell AMSI Bypass", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "This rule aims to detect attempts to bypass AMSI in powershell using specific techniques.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9e65a56f-af6e-4fec-8346-7df35d58bc4f", "name": "Inhibit System Recovery Deleting Backups", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects adversaries attempts to delete backups or inhibit system recovery. This rule relies on differents known techniques using Windows events logs from Sysmon (ID 1), and PowerShell (ID 4103, 4104).", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8ce183b9-22eb-4cbe-815a-d624693db2bd", "name": "Suspicious Mshta Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious mshta.exe execution patterns, either involving file polyglotism, remote file (http, ftp or ldap) or suspicious location. This technique is often used by threat actors.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "d844b812-6c8e-49a2-9807-f7359783601e", "name": "Microsoft Office Macro Security Registry Modifications", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "Detects registry changes allowing an attacker to make Microsoft Office products runs Macros without warning. Events are collected either from ETW/Sysmon/EDR depending of the integration.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "276efd99-3e10-402f-8024-abf6d9ce346f", "name": "Python HTTP Server", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "PowerShell logs"], "description": "Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "365c4283-cb09-4f92-b5eb-437df95e2fc0", "name": "Elevated Msiexec Via Repair Functionality", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when msiexec.exe is used with the repair functionality. The process gains elevated privileges. Attackers can use this to exploit the CVE-2024-38014.", "attack": ["execution - Hijack Execution Flow (T1574)", "resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch"]}, {"uuid": "24404a1b-5a8e-47be-8b40-1f371261ccb0", "name": "Network Connection Via Certutil", "effort": "intermediate", "data_sources": ["Process monitoring", "Process use of network", "Windows event logs"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "876d4a1b-dd2e-4b2b-9a88-ac1aa08609ba", "name": "ICacls Granting Access To All", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders.", "attack": ["defense-impairment - Windows Permissions (T1222.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cbba591a-7dea-4f7b-a7f3-b5056906e99b", "name": "Web Application Launching Shell", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when a web application launches a shell.", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "0fd6778f-c265-4a93-b736-1754778db1a1", "name": "PowerCat Function Loading", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "39b1259f-aa2a-4b33-a192-806db7d5cde4", "name": "NTDS.dit File Interaction Through Command Line", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "04caf5b7-f885-4af8-9aec-fa7de070228c", "name": "Active Directory Shadow Credentials", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "52007eaf-87fc-449d-b1ee-89c1595b066f", "name": "Rclone Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Rclone executable or Rclone execution by using the process name, the execution through a command obfuscated or not.", "attack": ["exfiltration - Exfiltration to Cloud Storage (T1567.002)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b0c4fd9d-0274-4fc9-a806-0b24b54ac7cf", "name": "Permission Discovery Via Wmic", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects discovery of permission on local groups via the tool wmic.", "attack": ["discovery - Local Groups (T1069.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0d95b214-5259-4975-94e5-5fc8575c8321", "name": "Microsoft Defender Antivirus Configuration Changed", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects when an feature configuration change is made to Microsoft Windows Defender (enabling or disabling real-time protection, etc.)", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c04c3082-3ddc-4e49-a31e-187c2e47e087", "name": "DCSync Attack", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects DCSync attack, it is highly likely that the post-exploitation tool Mimikatz was executed.", "attack": ["credential-access - DCSync (T1003.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "22251b0b-221c-42b9-856a-334233ea9ca8", "name": "Cobalt Strike Default Beacons Names", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "Detects the default names of Cobalt Strike beacons / payloads.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Cybereason EDR", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Daspren Parad", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "OCSF", "VMware vCenter", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "Google Workspace / ChromeOS", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "BeyondTrust PRA Team [BETA]", "Akamai Guardicore Cloud [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix EPO [ALPHA]", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Cisco IOS router and switch", "WithSecure Elements", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "IBM AIX", "Windows Log Insight", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Cato Networks SASE", "CyberArk Audit Logs", "Gatewatcher AionIQ V103", "CEF", "Fortinet FortiMail", "Palo Alto NGFW", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Jumpcloud Directory Insights", "Keycloak Events", "Gatewatcher AionIQ v102", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "SentinelOne EDR", "Kaspersky Endpoint Security", "IBM iSeries"]}, {"uuid": "7f290c99-7cb3-49a4-9437-40d047a3c32c", "name": "SolarWinds Wrong Child Process", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects SolarWinds process starting an unusual child process. Process solarwinds.businesslayerhost.exe and solarwinds.businesslayerhostx64.exe created an unexepected child process which doesn't correspond to the legitimate ones.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["CrowdStrike Falcon", "ESET Protect", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "SentinelOne Singularity Identity", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "ecf164f3-ba2e-4e36-9c5b-653a15244306", "name": "Netscan Share Access Artefact", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects netscan artefact on windows network share - indicate network share discovery.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "496c08a1-84ac-4e05-aeef-26daadcf455a", "name": "Wmic Process Call Creation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "795c1a07-d8a8-497d-9632-2ed5cc86a739", "name": "SysKey Registry Keys Access", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey. The SysKey allows to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts passwords. Adversaries can calculate the Syskey by using RegOpenKeyEx/RegQueryInfoKey API calls to query the appropriate class info and values from the HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\JD, HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Skew1, HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\GBG, and HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Data keys.", "attack": ["discovery - Query Registry (T1012)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "831349f2-8ca5-46e3-b3ea-38acd4b503d4", "name": "FoggyWeb Backdoor DLL Loading", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects DLL image load activity as used by the threat group NOBELIUM with the FoggyWeb backdoor loader. The prerequisite is to log Loaded DLLs images, which can be done through the Sysmon Event ID 7 (DLL image loaded by process).", "attack": ["execution - Shared Modules (T1129)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "dbc59017-69d0-414e-8036-7a34a24e78d8", "name": "Data Compressed With Rar With Password", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "86b48d11-261d-4d65-9beb-7ff7b60d22c7", "name": "Unsigned Image Loaded Into LSASS Process", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Loading unsigned image (DLL, EXE) into LSASS process. To activate this rule you need to monitor loaded images into the LSASS process, this can be done with SYSMON Event ID 7.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2eaa25ee-7416-4796-a4bf-11c58dc31350", "name": "Exchange Mailbox Export", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detection of a standard Exchange Mailbox export, which stores all mails from a user in a pst file, from command line or PowerShell script.", "attack": ["collection - Local Email Collection (T1114.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "c487b4fa-753d-421a-a34e-8f5dfdb3a3b3", "name": "RUN Registry Key Created From Suspicious Folder", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Azure Windows", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "HarfangLab EDR", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "1646131c-a984-433f-94fa-208eda41164c", "name": "WCE wceaux.dll Creation", "effort": "intermediate", "data_sources": ["Windows event logs", "File monitoring"], "description": "Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Broadcom Siteminder", "Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "Mimecast Email Security", "VMware ESXi", "Google Workspace / ChromeOS", "Cato Networks SASE", "Trellix Network Security", "CyberArk Audit Logs", "Cisco Secure Web Appliance", "Trellix Advanced Threat Defense", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Proofpoint PoD", "BeyondTrust Privileged Remote Access Session", "Gatewatcher AionIQ V103", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "Fortinet FortiMail", "One Identity SPS", "Sophos Analysis Threat Center", "CyberArk Digital Vault", "Tanium", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Fortinet FortiProxy", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "WithSecure Elements", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "cacedc72-15e4-4168-a0d5-c5b47f8fe814", "name": "Scheduled Task Creation By Non Privileged User", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects scheduled task creation, either executed by a non-system user or a user who is not administrator (the user ID is not S-1-5-18 or S-1-5-18-*). This detection rule doesn't match Sysmon EventID 1 because the user SID is always set to S-1-5-18. ", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "WALLIX Bastion", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "479a2424-d5b2-4cbd-aca3-bdf30b582165", "name": "OneNote Suspicious Children Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "IBM AIX", "CrowdStrike Falcon", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a0eeb810-2a3a-4701-b53d-376f9e3d3a4c", "name": "AdFind Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory.  Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects ", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "Windows Log Insight", "F5 BIG-IP", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "bfe00bf4-3bd0-4ae1-8485-6ef02c1d8fb9", "name": "Suspect Svchost Memory Access", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom (v1.0) to kill the winRM windows event logging service.", "attack": ["stealth - Disable Windows Event Logging (T1562.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "510ebe48-b546-4f26-af2c-c9f327220efa", "name": "Active Directory Replication User Backdoor", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs"], "description": "Backdooring domain object to grant the rights associated with DCSync to regular user or machine account, this technics is often used to give ResetPassword or WriteMembers or DCSync permission(s) for persistency on a domain.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f87da5a5-5ed9-4553-a117-4c20565a8a28", "name": "Impacket Secretsdump.py Tool", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects credential dumping via secretdump of impacket suite.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)", "credential-access - LSA Secrets (T1003.004)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f636da47-3165-410e-a86a-b0aadab79be9", "name": "Netsh RDP Port Forwarding", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "25fe5bd5-edac-49d6-a8c5-b70365ef7282", "name": "Account Added To A Security Enabled Group", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a1eacabd-f606-470a-be6e-8ecfaa5e5ad2", "name": "User Account Created", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720. ", "attack": ["persistence - Local Account (T1136.001)"], "intake-formats": ["Keycloak Events", "Trend Micro Apex One / Vision One endpoint", "Fortinet FortiGate", "Cisco Secure Firewall", "Claroty xDome", "Palo Alto Prisma access", "RSA SecurID", "Sophos EDR", "WatchGuard Firebox", "IBM AIX", "Windows Log Insight", "Clavister NGFW", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "SonicWall Firewall", "NeroSwarm Honeypot", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "Radware DefensePro [Beta]", "Salesforce", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "BeyondTrust Privileged Remote Access Session", "AWS CloudTrail", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Sophos Analysis Threat Center", "WithSecure Elements", "CyberArk Digital Vault", "Cybereason EDR activity", "Forcepoint Next-Generation Firewall", "Palo Alto NGFW", "HarfangLab EDR", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Lacework Cloud Security", "OCSF", "Sekoia.io Endpoint Agent", "IBM iSeries", "ExtraHop Reveal(x) 360", "Azure Network Watcher Flow Logs", "BeyondTrust PRA Vault Account Activity [BETA]", "Forcepoint Secure Web Gateway", "Thinkst Canary", "VMware vCenter", "Cisco NX-OS", "NucleonEDR", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "ea94fb29-73ed-4ba4-afbb-e96af771e96b", "name": "Adexplorer Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.", "attack": ["credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "4830f5fd-6fcd-4d72-9b7d-f6ff2453b2d4", "name": "xWizard Execution", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a866c7af-8e60-4417-b06c-da1b8ab1c973", "name": "Venom Multi-hop Proxy agent detection", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects Venom Multi-hop Proxy agent.", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "Stormshield SES", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "9a75b74f-ce58-4920-82f6-3f15c291596a", "name": "CVE-2017-11882 Microsoft Office Equation Editor Vulnerability", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Cybereason EDR", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "WithSecure Elements", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5f3fa434-5ada-4661-b815-3dcb6456dd0e", "name": "Possible RottenPotato Attack", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects logon events that have characteristics of events generated during an attack leveraging RottenPotato.", "attack": ["collection - Name Resolution Poisoning and SMB Relay (T1557.001)", "privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "28636b47-a914-43d1-ba6c-e77e656633d1", "name": "Antivirus Relevant File Paths Alerts", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This is only based on Windows Defender events.", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Sekoia.io Endpoint Agent", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "a6eb4621-1fd3-4e25-a4c7-dcf4e0118a7a", "name": "Protected Storage Service Access", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects access to a protected_storage service over the network. It could identify potential abuse of DPAPI to extract domain backup keys from Domain Controllers.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "3542e247-3d56-444d-a530-749ccb0e24f2", "name": "Remote Registry Management Using Reg Utility", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Remote registry management using REG utility from non-admin workstation. This requires Windows Security events logging.", "attack": ["persistence - Modify Registry (T1112)", "discovery - Query Registry (T1012)", "credential-access - Credentials in Registry (T1552.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f7ee64d4-ac0b-46f8-9bbd-5325bd03ae72", "name": "Spoolsv Wrong Parent", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects if the Spoolsv process was executed by a non-legitimate parent process. Printer Spooler Service (Spoolsv) process is responsible for managing spooled print/fax jobs.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Azure Windows", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5c1a7a47-b7c7-4801-9d6e-8e9bdaaa58f3", "name": "Suspicious Process Requiring DLL Starts Without DLL", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects potential process injection and hollowing on processes that usually require a DLL to be launched, but are launched without any argument. ", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Azure Windows", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Tanium", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "e8748497-a10a-40b2-a1d5-8d372c51719a", "name": "Microsoft Office Product Spawning Windows Shell", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a Windows command or scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "7f3c74d8-2d97-4d74-95ac-cf037fc19307", "name": "Creation or Modification of a GPO Scheduled Task", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects lateral movement using GPO scheduled task, often used to deploy ransomware at scale. This rule is based on the EventID 5145 which is specific to Windows Servers. The advanced audit policy setting Object Access > Audit Detailed File Share must be configured for Success/Failure.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)", "privilege-escalation - Group Policy Modification (T1484.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7c88bd80-2df5-40d2-8f7f-0b60f185458d", "name": "MMC Spawning Windows Shell", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a Windows command line executable started from MMC process", "attack": ["lateral-movement - Distributed Component Object Model (T1021.003)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "2d831218-da56-4591-9fed-90553de56c8b", "name": "Hijack Legit RDP Session To Move Laterally", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "attack": ["execution - Services File Permissions Weakness (T1574.010)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "IBM AIX", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Azure Windows", "Juniper NGFW", "CEF", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "IBM iSeries", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Windows", "Elastic Winlogbeat"]}, {"uuid": "f2b63a93-be70-4562-8989-5126833f0f79", "name": "Suspicious Certificate Request-adcs Abuse", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN)", "attack": ["credential-access - Steal or Forge Authentication Certificates (T1649)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "87990718-cc8c-4949-9ad5-4d8a9b700098", "name": "MS Office Product Spawning Exe in User Dir", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio. This is a common technique used by attackers with documents embedding macros. It requires Windows command line logging events.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Windows", "ESET Protect", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Cloud Funnel 2.0", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "edd2385f-3b00-4198-9889-38de697eac1c", "name": "Malicious Service Installations", "effort": "elementary", "data_sources": ["Process use of network", "Windows event logs"], "description": "Generic and known malicious service installation that appear in cases of lateral movement, credential dumping and other suspicious activity. It detects the use of PAExec, Wannacry commonly used malicious service, APT29 known malicious service name and net user service file name which is known as a sign of persistence.", "attack": ["credential-access - OS Credential Dumping (T1003)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent", "Elastic Winlogbeat"]}, {"uuid": "64d8b597-7033-4c85-b6aa-6f7c91f93be2", "name": "Suspicious PROCEXP152.sys File Created In Tmp", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Broadcom Siteminder", "Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Sophos EDR", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "Watchguard EPDR", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "NeroSwarm Honeypot", "Stormshield SES", "Cybereason EDR", "Mimecast Email Security", "VMware ESXi", "ESET Protect", "Google Workspace / ChromeOS", "Bitdefender GravityZone", "Cato Networks SASE", "Trellix Network Security", "CyberArk Audit Logs", "Cisco Secure Web Appliance", "Trellix Advanced Threat Defense", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "BeyondTrust Privileged Remote Access Session", "Gatewatcher AionIQ V103", "CEF", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "Daspren Parad", "Fortinet FortiMail", "One Identity SPS", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Tanium", "WithSecure Elements", "Palo Alto NGFW", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "Cisco Umbrella Proxy", "Kaspersky Endpoint Security", "Varonis Data Security", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Elastic Winlogbeat"]}, {"uuid": "c2243064-6b26-465c-ab79-c167c0eaafa4", "name": "Pandemic Windows Implant", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Windows Registry", "Windows event logs"], "description": "Detects Pandemic Windows Implant through registry keys or specific command lines. Prerequisites: Logging for Registry events is needed, which can be done in the Sysmon configuration (events 12 and 13).", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "BeyondTrust PRA Team [BETA]", "One Identity SPS", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "WithSecure Elements", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "064c122c-a76c-11eb-8a85-f0d5bf514442", "name": "Suspicious PsExec Execution", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects execution of PsExec, different from the Sysinternals one. This rule helps to filter out the noise if PsExec is used for legit purposes or if attacker uses a different PsExec client other than Sysinternals one. The prerequisite is to log the Event ID 5145 (by setting \"Audit Policy > Object Access > Audit Detailed File Share\" to Success/Failure).", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "31aaeb8a-d1ba-4c9e-9664-15ad363dcbec", "name": "In-memory PowerShell", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "PowerShell logs", "Process monitoring"], "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension and tool such PowerShDll.", "attack": ["execution - PowerShell (T1086)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c1a4626c-461e-4c4f-91cd-1d24b5350e75", "name": "Sysprep On AppData Folder", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious Sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec). Sysprep is a Windows tool used to change Windows images from a generalized state to a specialized state, and then back to a generalized state. It can be used to remove all system-specific information and reset the computer.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8a3d85dc-733d-41d0-8e84-6a1d07431715", "name": "DNS Tunnel Technique From MuddyWater", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detecting DNS Tunnel Activity For Muddywater intrusion set. This is the loading of a specific DLL from an Excel macro which is detected.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "39d1fe65-c708-4698-aa2f-1a87e2401bcb", "name": "WMIC Loading Scripting Libraries", "effort": "master", "data_sources": ["Loaded DLLs", "Windows event logs"], "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).   The rule requires to log Loaded DLLs to work properly, which can be done using Sysmon Event ID 7.", "attack": ["stealth - XSL Script Processing (T1220)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "32697b17-fd2a-419a-8177-918c3b63518d", "name": "Privileged AD Builtin Group Modified", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects changes to privileged AD builtin groups in Active Directory that could indicate malicious or unexpected administrative activity. This detection rule detects changes on specific groups that are Administrators (S-1-5-*-500), Domain Admins (S-1-5-*-512), Enterprise Admins (S-1-5-*-519), Schema Admins (S-1-5-*-518), Account Operators (S-1-5-32-548) and Backup Operators (S-1-5-32-551).", "attack": ["impact - Account Access Removal (T1531)", "privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "247b7e55-7a51-45ef-bf2a-6bcd535d87e2", "name": "APT29 Fake Google Update Service Install", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring"], "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "df5d520f-35ea-4735-b44a-bdce7f18fe9f", "name": "Remote Privileged Group Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects remote listing of local privileged group. Potential false positives, which should justify alert filters, are service accounts and administrators doing maintenance.", "attack": ["discovery - Local Account (T1087.001)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "717a1142-eeab-4118-98dd-20ed96534247", "name": "FromBase64String Command Line", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects suspicious FromBase64String expressions in command line arguments.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "3d2f058e-32c7-4048-981f-7d0f19cfcca4", "name": "UAC Bypass via Event Viewer", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects UAC bypass method using Windows event viewer. ", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Azure Windows", "Microsoft Defender XDR (Graph API) [BETA]", "Sekoia.io Endpoint Agent", "BeyondTrust Privileged Remote Access Session", "Microsoft Defender XDR / Microsoft 365 Defender", "Trend Micro Vision One Workbench Alerts [BETA]", "Sophos Analysis Threat Center", "BeyondTrust PRA Team [BETA]", "SentinelOne Cloud Funnel 2.0", "Crowdstrike Falcon Telemetry", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "8d5e2aca-32c9-499c-850b-50c0e5e1d975", "name": "AMSI Deactivation Using Registry Key", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable the AMSI provider by deleting the associated registry key.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "b0d4e25e-a745-11eb-b949-f0d5bf514442", "name": "Suspicious Access To Sensitive File Extensions", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects known sensitive file extensions accessed on a network share. This activity could possibly correspond to a malicious one (removing backup, reading sensitive files, etc.).", "attack": ["collection - Data from Network Shared Drive (T1039)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "fb4fe860-cd20-48ea-8917-aab8e1982cb2", "name": "Microsoft Defender Antivirus History Deleted", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Windows Defender history has been deleted. Could be an attempt by an attacker to remove its traces.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["Azure Windows", "Keycloak Events", "Fortinet FortiGate", "OCSF", "Sekoia.io Endpoint Agent", "Stormshield SES", "AWS CloudTrail", "WithSecure Elements", "CyberArk Audit Logs", "Delinea PRA", "ArubaOS Switch", "HarfangLab EDR", "Ivanti / Pulse Connect Secure", "Trellix ePO (on-prem)", "Windows", "NeroSwarm Honeypot", "Elastic Winlogbeat"]}, {"uuid": "e1775f36-13d0-4cd9-a62a-cfbf11bfa397", "name": "Empire Monkey Activity", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects EmpireMonkey APT reported Activity", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "Sekoia.io Endpoint Agent", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "19f78171-3d98-432e-9d41-81de6ca201e0", "name": "Windows Suspicious Scheduled Task Creation", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule identify creation of new scheduled task who run suspicious commands.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["HarfangLab EDR", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "be8b8ef3-34f3-4d3f-9d37-b9812f52b3de", "name": "Anomaly Bruteforce - User Enumeration", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high number of TGT failed or NTLM authent failed associate to error code username don't exist who could indicate user enumeration", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "ea64614a-f7d4-48f9-9441-baf34f9fa846", "name": "FLTMC command usage", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of fltmc to list and load/unload a filter driver.", "attack": ["stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "10f07542-71ae-46af-b178-6ca89e53e4a2", "name": "Potential macOS SSH Brute Force Detected", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects a potential ssh bruteforce to gain access to accounts.", "attack": ["lateral-movement - SSH Hijacking (T1563.001)"], "intake-formats": ["Azure Windows", "ESET Protect", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "9ecfad45-391e-4c9d-a8a8-f911dee1182c", "name": "Enable Root Account With Dsenableroot", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when root is enabled. Attackers can use this as a mean of persistence since root is disabled by default.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Keycloak Events", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "IBM AIX", "Windows Log Insight", "CrowdStrike Falcon", "Postfix", "SonicWall Firewall", "Stormshield SES", "Cybereason EDR", "VMware ESXi", "ESET Protect", "Elastic AuditBeat Linux", "Trellix EPO [ALPHA]", "Jumpcloud Directory Insights", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Daspren Parad", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Sekoia.io Endpoint Agent", "SentinelOne EDR", "IBM iSeries", "VMware vCenter", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Trellix ePO (on-prem)", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "bff04587-6551-4e84-9ad9-eb11a56a2fdf", "name": "Chflags Hidden", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects the use of the hidden flag by the utility chflags to hide files and directories.", "attack": ["stealth - Hidden Files and Directories (T1564.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "6114a31f-b55c-4ba1-8372-c5f0f306e901", "name": "Generic Password Discovery", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects when the security utility is used to access passwords in a keychain.", "attack": ["credential-access - Keychain (T1555.001)"], "intake-formats": ["Azure Activity Logs", "Azure Windows", "OCSF", "SentinelOne EDR", "SentinelOne Singularity Identity", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "Sophos Analysis Threat Center", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Crowdstrike Falcon Telemetry", "CrowdStrike Falcon", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "ce6e6b61-d655-4167-af9a-3700eceef4e1", "name": "Tmutil Delete Backups", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is used to delete backups. The Time Machine utility is used to restore data from backups, add or remove exclusions, and compare backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "0e3e928b-8f0d-4cc8-830f-d0a2267c4c8c", "name": "AppleScript Password Prompt", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects when a prompt is displayed to gain credentials. This technique is used by MacOS malware to obtain the user's password.", "attack": ["credential-access - Input Capture (T1056)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "07b34666-caa5-4af1-a4da-57b0332339ea", "name": "Dscl Authonly", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the use of the command dscl with authonly used to verify the password of a user and for authentification. An attacker can abuse this command to gain credentials.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "8e82680d-0612-4c93-a253-597724bdb1a9", "name": "User Added To Admin Group Via Cmd", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects the use of different commands to add a user to an admin group.", "attack": ["initial-access - Local Accounts (T1078.003)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "a2f8ef99-04a2-431b-be6e-03cc8ff5f918", "name": "Attempt to Disable Gatekeeper Execution Control", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects attempts to disable Gatekeeper through the command line. Gatekeeper is a macOS feature designed to ensure that only trusted, signed software can be executed.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "IBM AIX", "CrowdStrike Falcon", "VMware ESXi", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "bc89ae2d-5eee-43ce-a28a-76732bc22541", "name": "Tmutil Exclude File From Backups", "effort": "master", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is used to exclude paths from backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "5d41b34d-e2bd-46ae-b365-dda3b0dbc7c5", "name": "Tmutil Disabled", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is disabled. The Time Machine utility is used to restore data from backups, add or remove exclusions, and compare backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "016fc894-f655-429c-9739-88c2f2e57f2b", "name": "Startup Item Created", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects when a item is added to the startup directory. An attacker can use this establish persistence.", "attack": ["privilege-escalation - Startup Items (T1037.005)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "IBM AIX", "F5 BIG-IP", "CrowdStrike Falcon", "VMware ESXi", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Elastic AuditBeat Linux", "Palo Alto Cortex XDR (EDR)", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Juniper NGFW", "SentinelOne Singularity Identity", "BeyondTrust Privileged Remote Access Session", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "WithSecure Elements", "SentinelOne Cloud Funnel 2.0", "CyberArk Digital Vault", "Cybereason EDR activity", "Tanium", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Trend Micro Cloud One / Deep Security", "Stormshield SNS", "Azure Activity Logs", "OCSF", "SentinelOne EDR", "VMware vCenter", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "NucleonEDR", "WALLIX Bastion", "Stormshield SES", "Windows", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "198e1cd6-d997-43ce-a2c7-7e586b756d46", "name": "Phishing Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a phishing attempt from an email that is not whitelisted and didn't move the email to the junk folder.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)", "initial-access - Spearphishing via Service (T1566.003)"], "intake-formats": ["Vade for M365"]}, {"uuid": "e24b272b-a6b1-428c-9f2f-d23b87afbca8", "name": "Anomaly Fortigate IPS Alert Peak", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "The rule detects abnormally high number of Fortigate IPS alert", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "de6d933d-4a96-4b24-8df2-e768dc678825", "name": "Suspicious URL Requested By Curl Or Wget Commands", "effort": "advanced", "data_sources": ["Web proxy", "Web application firewall logs", "Process monitoring", "Process command-line parameters"], "description": "Correlation rule aiming to be multi-source to detect URL with suspicious files extensions (seen on a network level by proxies or firewalls) being requested by curl or wget processes (seen on a host level).", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["F5 BIG-IP", "Zscaler Internet Access", "OCSF", "Windows"]}, {"uuid": "642e0455-bc85-45de-941a-2ecba9914f55", "name": "SharePoint Authenticated SSRF", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects succesful SSRF from an authenticated SharePoint user.", "attack": ["stealth - Exploitation for Stealth (T1211)", "defense-impairment - Network Boundary Bridging (T1599)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "501ad68f-28c5-4e86-acf1-e00090c7dec6", "name": "ExtraHop Reveal(x) 360 Intrusion Detection High Severity", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "ExtraHop Reveal(x) 360 raised an intrusion detection alert with high severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["ExtraHop Reveal(x) 360"]}, {"uuid": "cc36e8db-ceb4-453b-ad75-f0ff8fbed493", "name": "Login Brute-Force Successful On Rubycat PROVE IT", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) through Rubycat PROVE IT protected devices and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": []}, {"uuid": "1e1185cf-337e-4368-9274-937f87728ee4", "name": "Netskope Successful Brute-Force On Management Console", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects successful access to Netskope management console after more than 10 failures in 5 minutes for the same user name.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "d63ac73e-a00d-4c54-98ee-def8956b1bbd", "name": "Malware Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a malware contained in the message.", "attack": ["initial-access - Phishing (T1566)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Vade for M365"]}, {"uuid": "81a998b2-5207-4909-b88b-a6e73e144962", "name": "1Password EPM Brute Force", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects multiple failed login followed by a success from the same user.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["1Password EPM"]}, {"uuid": "2e9ce1aa-1fb1-4094-a58f-c0e59e272125", "name": "Cyberwatch Detection Critical Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Cyberwatch Detection has detected an asset with a critical vulnerability ", "attack": ["resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["Cyberwatch Detection"]}, {"uuid": "c3611e39-bdfd-4908-bd4b-e84869643296", "name": "Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)", "effort": "advanced", "data_sources": ["Email gateway"], "description": "Cx0 fraud and Patient Zero Detection alerts detected by Retarus Email Security. CxO Fraud Detection uses algorithms that identify from-spoofing and domain-spoofing, to detect falsified sender addresses (e.g. from high level executives - CEO, CFO...). Patient Zero Detection\u00ae uses a digital fingerprint to identify emails containing malware that have already been delivered.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "b85716b1-5933-456a-8191-88908b276cd8", "name": "Rubycat PROVEIT Admin Service Modified", "effort": "master", "data_sources": ["Authentication logs"], "description": "Rubycat PROVEIT has detected a service modification that could require some review if not expected.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Rubycat PROVE IT"]}, {"uuid": "8fb8c59d-b4a0-425b-9773-73819b82d657", "name": "Spearphishing (Lawyer Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with lawyer fraud thematic. Impersonation of lawyers and lawyers' firms. The main goal is to make sure the victims will not raise awareness around them. Confidentiality restrictions are implied.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "2fe88e90-a559-4f05-a56d-3142a85e5cbf", "name": "Fortigate IPS Critical Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Fortigate intrusion detection alert with critical severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "8b59cfb4-ee83-48f3-8d0a-dcf234c5682b", "name": "Koadic MSHTML Command", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects Koadic payload using MSHTML module", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Crowdstrike Falcon Telemetry", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "PingFederate", "Olfeo SAAS", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Wiz Issues", "Aleph Alerts [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "WithSecure Elements", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Thinkst Canary", "Windows", "Gatewatcher AionIQ v102", "Sophos EDR", "WatchGuard Firebox", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Broadcom Cloud Secure Web Gateway", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "Kaspersky Endpoint Security", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Catalyst SD-WAN"]}, {"uuid": "e2c6ec80-d1e3-4503-bccf-f25bfe264fd2", "name": "Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.", "attack": ["command-and-control - Web Protocols (T1071.001)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Microsoft Defender XDR (Graph API) [BETA]", "Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco ISE", "Cisco Meraki MX", "PRODAFT USTA Cyber Threat Intelligence Platform", "AWS WAF", "Apache HTTP Server", "F5 BIG-IP", "SonicWall Firewall", "PingFederate", "Stormshield SES", "Jizo AI / Sesame it NDR", "Mimecast Email Security", "VMware ESXi", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Cato Networks SASE", "Cisco ESA", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "TEHTRIS EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Proofpoint PoD", "HAProxy", "Olfeo secure web gateway", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "BeyondTrust PRA Team [BETA]", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Trend Micro Cloud One / Deep Security", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "Zscaler Private Access [BETA]", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "SentinelOne EDR", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Windows", "Cisco IOS router and switch", "Proofpoint TAP"]}, {"uuid": "41d7462b-83b7-473c-b82b-b607f1adad0e", "name": "Privilege Escalation Awesome Scripts (PEAS)", "effort": "elementary", "data_sources": ["Network device logs", "Packet capture", "Windows event logs", "Process command-line parameters"], "description": "Detect PEAS privileges escalation scripts and binaries", "attack": ["resource-development - Tool (T1588.002)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Elastic AuditBeat Linux", "Trellix Network Security", "Cisco Secure Web Appliance", "Azure Front Door", "Azure Windows", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "HarfangLab EDR", "Stormshield SNS", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "PingFederate", "Olfeo SAAS", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "Zscaler Private Access [BETA]", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "WithSecure Elements", "Cisco IOS router and switch", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "SonicWall Firewall", "Google Kubernetes Engine", "Citrix NetScaler / ADC", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Sophos Firewall", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "VMware ESXi", "Bitdefender GravityZone", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "WALLIX Bastion"]}, {"uuid": "65fb80f9-ecd6-458d-9b29-3ed561bbcf29", "name": "ESET Protect Set Policy", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a new policy is set or removed.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["ESET Protect"]}, {"uuid": "3064cf77-6c30-4384-aec8-aa025ce05184", "name": "Login Brute-Force On FreeRadius", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) with error then one success.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["FreeRADIUS"]}, {"uuid": "e7e23a2c-ddb8-425c-8a1c-ec9e34034431", "name": "Spam Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a spam e-mail and didn't block it.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "ce5fbf2e-a845-408d-89a3-ae1b7a9dc664", "name": "Correlation Fortigate Multi Dest From One Internal Ip", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "This rule detect an internal asset that targets several destination IP address with the same threat", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "f3492a34-bf75-4963-b3a5-44943aff530a", "name": "Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan", "effort": "advanced", "data_sources": ["Web proxy", "Anti-virus"], "description": "Cloudflare Gateway allows admins to enable Anti-Virus (AV) scanning of files that are uploaded or downloaded by users as the file passes through Gateway. AV scanning of files requires organizations to enable Proxy mode under Settings > Network > Layer 7 Firewall. TLS decryption is also recommended to enable inspection of HTTPS traffic.", "attack": ["command-and-control - Web Protocols (T1071.001)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cloudflare Gateway HTTP"]}, {"uuid": "24d704c1-53e2-4e09-b88f-7ebc8e73cd09", "name": "Possible Malicious File Double Extension", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects request to potential malicious file with double extension", "attack": ["initial-access - Phishing (T1566)", "stealth - Double File Extension (T1036.007)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "235ffb78-35af-4806-9ee2-f6bdaeec2d92", "name": "Potential DNS Tunnel", "effort": "advanced", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Web logs"], "description": "Detects domain name which is longer than 62 characters. Long domain names are distinctive of DNS tunnels.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "EfficientIP SOLIDServer DDI", "OCSF", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Cloudflare WAF events", "AWS CloudFront", "AWS GuardDuty", "BIND", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Unbound", "SonicWall Firewall", "Cato Networks SASE", "Imperva WAF", "ArubaOS Switch", "HAProxy", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Palo Alto NGFW", "Sophos Firewall", "Thinkst Canary", "Cisco NX-OS", "Windows", "Gatewatcher AionIQ v102", "Claroty xDome", "WatchGuard Firebox", "Squid", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "919d97e6-9804-4360-a209-4e51c514e0fb", "name": "ESET Protect Intrusion Detection", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when the solution ESET Protect detects an intrusion.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["ESET Protect"]}, {"uuid": "6741888d-e18e-4832-ae91-5bf056650e51", "name": "Suspicious URI Used In A Lazarus Campaign", "effort": "intermediate", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "3bab8078-be30-406a-ad16-c2019930bba1", "name": "Forcepoint Secure Web Gateway Malicious Websites", "effort": "master", "data_sources": ["Web proxy"], "description": "Forcepoint Secure Web Gateway has detected an access to an IP/domain tagged as malicious. Even if it has been blocked, it could be interesting to investigate the source asset.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": []}, {"uuid": "dd6116e5-2277-4f39-96b1-fc7d9b72cd45", "name": "FreeRADIUS Failed Authentication", "effort": "advanced", "data_sources": ["Network device logs", "Authentication logs"], "description": "A failed authentication was logged by FreeRADIUS ", "attack": ["credential-access - Password Guessing (T1110.001)"], "intake-formats": ["FreeRADIUS"]}, {"uuid": "b191cb21-904e-4c50-b628-79d396101f44", "name": "Cisco Umbrella Threat Detected", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy", "DNS records"], "description": "Cisco Umbrella has detected a malicious traffic categorized as malware, phishing or adware.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Cisco Umbrella DNS", "Sekoia.io Endpoint Agent"]}, {"uuid": "bfc2e7cc-a829-4ead-9688-1b0ed420e6dd", "name": "GitLab CVE-2021-22205", "effort": "intermediate", "data_sources": ["Network device logs", "Packet capture", "Windows event logs"], "description": "Detects GitLab vulnerability CVE-2021-22205 exploitation success. It allows an attacker to do some remote code execution with user git. The HTTP return code 422 indicates a successfull exploitation.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary", "Windows"]}, {"uuid": "65be743f-38b6-4d7f-b415-4baf3d0837c5", "name": "Broadcom Edge Secure Web Gateway Anomaly TCP Denied", "effort": "master", "data_sources": ["Network protocol analysis"], "description": "Detects a high number of connection TCP denied.", "attack": ["discovery - System Network Connections Discovery (T1049)"], "intake-formats": []}, {"uuid": "a3b336de-05ed-463e-8b3f-c8940415adf6", "name": "Suspicious Download Links From Legitimate Services", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.", "attack": ["initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "d1e2d36c-71f0-4af0-995b-bd9813d14e0c", "name": "Fortigate Firewall Login In Failure", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Network protocol analysis", "Packet capture"], "description": "Detects failed login attemps on firewall administration rule. Prerequisites, check that the firewall logs format corresponds to the rule", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "b99f6469-d40d-4765-a608-00aafe4d95ee", "name": "ESET Protect Malware", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Eset Protect tagged an event as linked to a malware with infected files.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["ESET Protect"]}, {"uuid": "347ad552-dc26-4e48-a7a0-6ea4592372b8", "name": "Discord Suspicious Download", "effort": "advanced", "data_sources": ["Web proxy", "Web logs", "Web application firewall logs", "Packet capture", "Network intrusion detection system"], "description": "Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.", "attack": ["command-and-control - Web Service (T1102)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Crowdstrike Falcon Telemetry", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "PingFederate", "Olfeo SAAS", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Wiz Issues", "Aleph Alerts [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "WithSecure Elements", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Thinkst Canary", "Windows", "Gatewatcher AionIQ v102", "Sophos EDR", "WatchGuard Firebox", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Broadcom Cloud Secure Web Gateway", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "Kaspersky Endpoint Security", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Catalyst SD-WAN"]}, {"uuid": "1e20617f-298e-4956-8e90-cb77b936a317", "name": "Sliver DNS Beaconing", "effort": "intermediate", "data_sources": ["DNS records", "Network device logs", "Packet capture", "Windows event logs"], "description": "Detects suspicious DNS queries known from Sliver beaconing ", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "WatchGuard Firebox", "Unbound", "F5 BIG-IP", "Broadcom Edge Secure Web Gateway", "Infoblox DDI", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Azure Windows", "Barracuda CloudGen Firewall", "BIND", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "HarfangLab EDR", "EfficientIP SOLIDServer DDI", "OCSF", "Sekoia.io Endpoint Agent", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Cisco Umbrella DNS", "Windows", "Elastic Winlogbeat"]}, {"uuid": "11a13d04-61cc-4a66-9867-f594f0dba2ad", "name": "ESET Protect Vulnerability Exploitation Attempt", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when an attempt is made to exploit a vulnerability.", "attack": ["resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["ESET Protect"]}, {"uuid": "5a3e7aa0-8826-4231-a0b9-eadcb7c06db9", "name": "EfficientIP SOLIDServer Suspicious Behavior", "effort": "master", "data_sources": ["DNS records", "Network device logs"], "description": "Detects when EfficientIP SOLIDServer forwards a suspicious behavior related to an IP.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["EfficientIP SOLIDServer DDI"]}, {"uuid": "390acf78-d41d-4f59-bf62-9fcb20133b3c", "name": "Internet Scanner Target", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system", "Web application firewall logs", "Web logs", "DNS records", "Network protocol analysis", "Packet capture"], "description": "Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)", "reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Netfilter", "Fortinet FortiGate", "Akamai Guardicore On-Prem [BETA]", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Cisco Secure Firewall", "Palo Alto Prisma access", "WatchGuard Firebox", "F5 BIG-IP", "Infoblox DDI", "Ivanti / Pulse Connect Secure", "NeroSwarm Honeypot", "Stormshield SES", "Jizo AI / Sesame it NDR", "Google Workspace / ChromeOS", "Cato Networks SASE", "Nozomi Vantage", "Trellix Network Security", "Delinea PRA", "Cloudflare Gateway Network", "Proofpoint PoD", "Barracuda CloudGen Firewall", "AWS GuardDuty", "Check Point NGFW", "Palo Alto NGFW", "Nozomi CMC", "Sophos Firewall", "Akamai Guardicore Cloud [BETA]", "EfficientIP SOLIDServer DDI", "Suricata", "Broadcom/Symantec Endpoint Security", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat"]}, {"uuid": "6af26887-a4be-4b6f-9ea5-9750decf1025", "name": "LokiBot Default C2 URL", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects default C2 URL for trojan LokiBot", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "8aaf5781-3f6b-4406-8769-a6138c1490f8", "name": "Internet Scanner", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system", "Web application firewall logs", "Web logs", "DNS records", "Network protocol analysis", "Packet capture"], "description": "Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)", "reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Netfilter", "Fortinet FortiGate", "Akamai Guardicore On-Prem [BETA]", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Cisco Secure Firewall", "Palo Alto Prisma access", "WatchGuard Firebox", "F5 BIG-IP", "Infoblox DDI", "Ivanti / Pulse Connect Secure", "NeroSwarm Honeypot", "Stormshield SES", "Jizo AI / Sesame it NDR", "Google Workspace / ChromeOS", "Cato Networks SASE", "Nozomi Vantage", "Trellix Network Security", "Delinea PRA", "Cloudflare Gateway Network", "Proofpoint PoD", "Barracuda CloudGen Firewall", "AWS GuardDuty", "Check Point NGFW", "Palo Alto NGFW", "Nozomi CMC", "Sophos Firewall", "Akamai Guardicore Cloud [BETA]", "EfficientIP SOLIDServer DDI", "Suricata", "Broadcom/Symantec Endpoint Security", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat"]}, {"uuid": "ca0f96a6-c96f-4aae-be1c-9b3fa5016109", "name": "CVE-2021-22123 Fortinet FortiWeb OS Command Injection", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "6fcb4ade-2bcf-48ef-bdfd-c115638717b6", "name": "Download Files From Non-Legitimate TLDs", "effort": "master", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "Detects file downloads from non-legitimate TLDs. Additional legitimates TLDs should be filtered according to the business habits.", "attack": ["initial-access - Phishing (T1566)", "execution - Exploitation for Client Execution (T1203)", "execution - User Execution (T1204)", "execution - Malicious Link (T1204.001)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "Gatewatcher AionIQ V103", "F5 NGINX", "Crowdstrike Falcon Telemetry", "F5 BIG-IP", "Fortinet FortiProxy", "Windows"]}, {"uuid": "0e57941d-39da-45f5-9c29-fd58ecfb5d46", "name": "Outgoing Bytes Peak", "effort": "advanced", "data_sources": ["Authentication logs", "Web application firewall logs", "Network protocol analysis", "Packet capture"], "description": "Spots outgoing bytes traffic peak to detect a data exfiltration.", "attack": ["exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": []}, {"uuid": "d5e87475-6ba3-43ba-bce2-1551fabd39b1", "name": "Login Brute-Force Successful On ArubaOS Switch", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on ArubaOS switch and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["ArubaOS Switch"]}, {"uuid": "3b4380f2-a7dd-4fd4-9157-b9fd250d6b43", "name": "Retarus Email Security Threat Detected (Sandboxing)", "effort": "elementary", "data_sources": ["Email gateway"], "description": "Sandboxing alerts detected by Retarus Email Security. Sandboxing subjects specific file attachments to an in-depth analysis. Retarus uses a sandboxing solution from the specialized and highly respected third-party provider Palo Alto Networks for this advanced threat assessment. Emails identified as infected are either deleted or quarantined, and the intended recipient is notified.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "686bfcfd-5f9b-4665-80c9-c990ba2705ff", "name": "Spearphishing (Gift Cards Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spear-phishing attempt with gift-cards fraud thematic. Executive impersonation requesting a money transfer to set up gift-cards for employees. Confidentiality and discretion are usually implied.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "ad65c510-a673-4374-9d57-1bdd70ceb5db", "name": "Spam Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a spam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "e7be0f85-b8fd-497a-85d2-3719ea2ac2cb", "name": "Broadcom Edge Secure Web Gateway High Threat", "effort": "master", "data_sources": ["Network protocol analysis"], "description": "Detects when a high threat is detected by Broadcom Edge Secure Web Gateway.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Broadcom Edge Secure Web Gateway"]}, {"uuid": "de878945-be98-4cab-821e-56da38da38f7", "name": "Cato Networks SASE High Risk Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Cato Networks SASE intrusion detection has detected a high risk alert.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Cato Networks SASE"]}, {"uuid": "d1718d63-39e2-49ca-a564-a13175acfbbb", "name": "Suspicious TOR Gateway", "effort": "advanced", "data_sources": ["DNS records", "Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Olfeo SAAS", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "BIND", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "Unbound", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "ArubaOS Switch", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Gatewatcher AionIQ v102", "Claroty xDome", "Sophos EDR", "WatchGuard Firebox", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "76be6bb8-1ba6-4fbc-a45a-db7c58a127e6", "name": "CVE-2020-14882 Oracle WebLogic Server", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "805503bb-f27e-4f14-9465-710bec10abfd", "name": "Cobalt Strike HTTP Default GET beaconing", "effort": "advanced", "data_sources": ["Network device logs", "Packet capture"], "description": "Detects GET HTTP queries from known Cobalt Strike beacons (source code 4.3)", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Skyhigh Secure Web Gateway / McAfee Web Gateway", "HAProxy", "Cisco Umbrella Proxy", "Cisco Secure Firewall", "F5 NGINX", "Olfeo SAAS", "VMware vCenter", "Suricata", "Salesforce", "Squid", "Cisco Secure Web Appliance", "Azure Front Door", "Zscaler Internet Access", "F5 BIG-IP", "Apache HTTP Server", "Zscaler Private Access [BETA]"]}, {"uuid": "1578c01b-490d-4e99-8579-4553d3e76067", "name": "Retarus Email Security Threat Detected (MultiScan)", "effort": "intermediate", "data_sources": ["Email gateway"], "description": "Antivirus MultiScan alerts detected by Retarus Email Security. AntiVirus MultiScan automatically scans incoming and outgoing emails and file attachments for viruses with up to four virus scanners and uses heuristic analysis to protect from unknown malware.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "0caf3914-2952-4bd9-b48a-e13f588132fb", "name": "Login Brute-Force Successful On WatchGuard Firebox", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on WatchGuard Firebox and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["WatchGuard Firebox"]}, {"uuid": "d6ad981f-720c-45a3-96af-8cfaddd594a3", "name": "CVE-2020-17530 Apache Struts RCE", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "c66b5406-665f-4d6c-8f4f-93d9fa986d1a", "name": "CVE-2020-0688 Microsoft Exchange Server Exploit", "effort": "elementary", "data_sources": ["Packet capture", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "50eb4477-d9df-4897-8eb3-aec6ca72267c", "name": "TOR Usage Generic Rule", "effort": "master", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs"], "description": "Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "e4f2d8ee-ec9e-4e69-a1ec-9ec94b506978", "name": "CVE-2021-41773 Apache 2.4.49 Path Traversal", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects successful exploitation of the Apache Path Traversal CVE-2021-41773.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "8ddec30d-3bed-4b8c-b7d8-d19b29aa88c5", "name": "Remote Access Tool Domain", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "695011ce-6c09-468b-b6ad-46768ab812d8", "name": "Suspicious Email Attachment Received", "effort": "advanced", "data_sources": ["Email gateway", "Mail server"], "description": "Detects email containing a suspicious file as an attachment, based on its extension.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "collection - Data from Network Shared Drive (T1039)"], "intake-formats": ["Mimecast Email Security", "Proofpoint PoD", "OCSF", "Gatewatcher AionIQ V103", "Varonis Data Security", "Palo Alto Prisma access", "Fortinet FortiMail", "Microsoft 365 / Office 365", "Palo Alto NGFW", "Trend Micro Apex One / Vision One endpoint", "Postfix", "WithSecure Elements", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "90d03042-9b00-4d1f-a83d-81539a0f2552", "name": "ProxyShell Microsoft Exchange Suspicious Paths", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs", "Web logs"], "description": "Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "4e38c194-9347-4cfb-9e31-d114676b71d7", "name": "TrevorC2 HTTP Communication", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent. ", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco ISE", "Cisco Meraki MX", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "F5 BIG-IP", "SonicWall Firewall", "Sekoia.io activity logs", "VMware ESXi", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Trellix Network Security", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "Fastly Next-Gen WAF Audit Logs", "Microsoft Defender XDR / Microsoft 365 Defender", "HAProxy", "Gatewatcher AionIQ V103", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary", "Windows", "Proofpoint TAP"]}, {"uuid": "abb4d036-6401-45d7-bb27-46a39d360ea1", "name": "Cobalt Strike DNS Beaconing", "effort": "advanced", "data_sources": ["DNS records", "Network device logs", "Packet capture"], "description": "Detects suspicious DNS queries known from Cobalt Strike beacons. The threshold is more than 50 suspicious DNS requests to avoid false positives.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["EfficientIP SOLIDServer DDI", "Fortinet FortiGate", "OCSF", "Gatewatcher AionIQ v102", "BIND", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Unbound", "Zscaler Internet Access", "Infoblox DDI", "HarfangLab EDR", "Cisco Umbrella DNS"]}, {"uuid": "926516fb-f2e5-4ff3-8c13-f8f3cb9d2db4", "name": "CVE-2019-11510 Pulse Secure Exploit", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects the successful exploitation of the Pulse Secure vulnerability CVE-2019-11510. This CVE is one of the most exploited CVEs since 2019. It is exploited by diverse threat actors, leading sometimes in ransomware deployement among these groups: Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil. But also APT actors such as APT29. The exploitation of this CVE allows a remote, unauthenticated attacker to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. The exploit reads /etc/passwd file to get access to login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 products.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "8414af30-04d7-4a29-a83b-b82885572cf3", "name": "Anomaly Multiple Host Port Scan", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects multiple port scan from/to a private address, excluding DNS.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": []}, {"uuid": "1842fa22-e990-4be7-90ae-daafc8540147", "name": "CVE-2021-20023 SonicWall Arbitrary File Read", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.", "attack": ["collection - Data Staged (T1074)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "6dcbcfa6-67cd-4138-ac9f-f3acd5971670", "name": "Detect requests to Konni C2 servers", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "cf7df53d-b5a9-40d5-9c10-759907315f5b", "name": "Bazar Loader DGA (Domain Generation Algorithm)", "effort": "elementary", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Detects Bazar Loader domains based on the Bazar Loader DGA", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "WatchGuard Firebox", "Ubika WAAP Gateway", "Unbound", "Broadcom Edge Secure Web Gateway", "F5 BIG-IP", "Infoblox DDI", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Cisco ESA", "Broadcom Cloud Secure Web Gateway", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Cloudflare WAF events", "Palo Alto Cortex XDR (EDR)", "Fortinet FortiWeb", "Microsoft Defender XDR / Microsoft 365 Defender", "Azure Windows", "Akamai WAF", "Trapster (by Ballpoint) [BETA]", "MokN - Baits", "Gatewatcher AionIQ V103", "Barracuda CloudGen Firewall", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "BIND", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Zscaler Private Access [BETA]", "Aleph Alerts [BETA]", "Stormshield SNS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "EfficientIP SOLIDServer DDI", "OCSF", "Cloudflare Access Requests", "F5 NGINX", "Suricata", "Cloudflare Gateway DNS", "Cisco Catalyst SD-WAN", "Crowdstrike Falcon Telemetry", "Cisco Umbrella DNS", "Bitsight SPM", "Windows", "Elastic Winlogbeat"]}, {"uuid": "53247705-32c0-44cb-8035-331856b60ce6", "name": "CVE-2021-43798 Grafana Directory Traversal", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Grafana version 8.x has a 0day arbitrary file read (with no fix yet) based on a directory traversal vulnerability", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "54d564a9-b0e2-4631-b156-c36a5db07b9b", "name": "Cisco Identity Services Engine Configuration Changed", "effort": "master", "data_sources": ["Network device configuration"], "description": "Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": ["Cisco ISE"]}, {"uuid": "3fed75bd-3402-4a2d-b9b3-1a438ed3fc58", "name": "CVE-2021-26855 Exchange SSRF", "effort": "advanced", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs", "Web logs"], "description": "Detects the exploitation of ProyxLogon vulerability on Exchange servers.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "fa9a162b-444b-4ed5-9898-08aa5864a9e8", "name": "Telegram Bot API Request", "effort": "advanced", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "attack": ["command-and-control - Bidirectional Communication (T1102.002)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "EfficientIP SOLIDServer DDI", "OCSF", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Cloudflare WAF events", "AWS CloudFront", "AWS GuardDuty", "BIND", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Unbound", "SonicWall Firewall", "Cato Networks SASE", "Imperva WAF", "ArubaOS Switch", "HAProxy", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Palo Alto NGFW", "Sophos Firewall", "Thinkst Canary", "Cisco NX-OS", "Windows", "Gatewatcher AionIQ v102", "Claroty xDome", "WatchGuard Firebox", "Squid", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "8e632b7d-0070-4567-bf5d-d1eac6afad37", "name": "1Password EPM MFA Disable", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when the MFA for 1Password is disabled.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["1Password EPM"]}, {"uuid": "75b26c09-92bb-43d5-9343-0aaf00435df0", "name": "Trellix Network Security Threat Blocked", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Trellix Network Security has detected a malicious traffic and blocked it.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Trellix Network Security"]}, {"uuid": "bd808a15-690c-4932-8989-c9d2d7cfe8c5", "name": "Potential LokiBot User-Agent", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects potential LokiBot communications through the user-agent", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "AWS WAF", "CrowdStrike Falcon", "Apache HTTP Server", "F5 BIG-IP", "SonicWall Firewall", "NeroSwarm Honeypot", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Ubika Cloud Protector Next Generation Alerts", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "Cloudflare WAF events", "Fortinet FortiWeb", "AWS CloudFront", "HAProxy", "Gatewatcher AionIQ V103", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Cloudflare HTTP requests", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary", "Cisco Catalyst SD-WAN", "Trapster (by Ballpoint) [BETA]"]}, {"uuid": "7ad9d141-b68a-4dca-a496-d9bddce8a46e", "name": "Fortigate Firewall Successful External Login", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Detects succesfull access to administration console of firewall from another IP address than 127.0.0.1. Prerequisites, check that the firewall logs format corresponds to the rule", "attack": ["initial-access - Valid Accounts (T1078)", "credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "29884fe3-a924-4958-9447-6b0e402bb5dc", "name": "CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects successful exploitation of the F5 BIG-IP vulnerability CVE-2021-22986.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["F5 BIG-IP"]}, {"uuid": "4f69a6ad-5e24-4756-b56e-c95704dccade", "name": "Cloudflare Gateway DNS Query Allowed to Malicious Domain", "effort": "master", "data_sources": ["DNS records"], "description": "A DNS query to a domain categorized by Cloudflare Gateway as malicious was allowed because no blocking policy is configured.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway DNS"]}, {"uuid": "2ad46415-48b6-4bfd-899d-7b936375a0e3", "name": "Exfiltration Domain", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects traffic toward a domain flagged as a possible exfiltration vector.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "41422dfa-7de5-4552-ada8-22981eb2a30c", "name": "Login Brute-Force On Fortinet Firewall From Internet", "effort": "advanced", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Detects successful access to administration console of a firewall after several failure from Internet.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "dd32dc5a-5953-4b2f-a7d2-17fb0d442825", "name": "Spearphishing (Initial Contact Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with initial contact fraud thematic. Do not contains any malicious content or specific actions other than a request to reply to the email. \u201cAre you available?\u201d. The main goal is to incite a reply that could register the sending address as a known and legitimate address.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "deb49945-1556-4c3e-bfc6-4bfbf098e988", "name": "Citrix NetScaler (ADC) Actions Blocked", "effort": "advanced", "data_sources": ["Application logs"], "description": "This rule aims to detect a large amount of actions blocked performed from the same source.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Citrix NetScaler / ADC"]}, {"uuid": "62844398-7b39-11eb-9439-0242ac130002", "name": "CVE-2021-21972 VMware vCenter", "effort": "intermediate", "data_sources": ["Web logs", "Web application firewall logs", "Web proxy", "Packet capture"], "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH \"/ui/vropspluginui/rest/services/uploadova\". If in response body (500) the words it has \"uploadFile\", that means the vCenter is available to accept files via POST without any restrictions.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "5755350f-5b18-4263-b560-1362cd0ff43c", "name": "CVE-2021-21985 VMware vCenter", "effort": "advanced", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "The VMware vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "5f64d7e1-f726-468e-8eb7-ca394b8c011f", "name": "CVE-2018-11776 Apache Struts2", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "401eb0e4-bf91-4c99-b424-fba18a01c180", "name": "Brute-Force On Fortinet Firewall Login", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Spots many failed attempts to log on an administration interface.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "52388852-48db-4b7f-9217-194fcaccbd4f", "name": "Spearphishing (W2 Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with W2 fraud thematic. Executive or HR impersonation phishing for social security numbers or tax identification numbers. Collected data are generally used for identity theft schemes.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "0f3494de-d213-4cc9-b8be-0941107728fd", "name": "Anomaly Internal Port Connection", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects multiple scan of different ports on internal network.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": []}, {"uuid": "8ef048fc-bad3-4bd3-b0a2-8dc1f5d1b51d", "name": "CVE-2021-20021 SonicWall Unauthenticated Administrator Access", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the exploitation of SonicWall Unauthenticated Admin Access.", "attack": ["persistence - Create Account (T1136)", "initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "22b6997e-2287-499a-9c3e-a24f215f7613", "name": "Anomaly CloudFlare DDoS", "effort": "master", "data_sources": ["DNS records"], "description": "Detects anomaly on volume of DNS events from CloudFlare logs.", "attack": ["impact - Network Denial of Service (T1498)"], "intake-formats": []}, {"uuid": "d7a94ef7-9ed5-46d7-9426-8bd27fb2ca17", "name": "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}, {"uuid": "f3935410-dcdf-4284-b80b-0d8609702432", "name": "Burp Suite Tool Detected", "effort": "intermediate", "data_sources": ["Web proxy", "Web logs", "Web application firewall logs", "Packet capture", "Network intrusion detection system"], "description": "Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Elastic Winlogbeat", "Cisco ISE", "CrowdStrike Falcon", "Postfix", "PingFederate", "Olfeo SAAS", "Cloudflare WAF events", "TEHTRIS EDR", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "ArubaOS Switch", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Cisco NX-OS", "Windows", "Gatewatcher AionIQ v102", "Claroty xDome", "WatchGuard Firebox", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "79605045-3cf7-4d45-936a-c1f9e254c911", "name": "Potential Bazar Loader User-Agents", "effort": "elementary", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Detects potential Bazar loader communications through the user-agent", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Wiz Audit Logs", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "SonicWall Secure Mobile Access", "Github Audit logs", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "AWS CloudFront", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trapster (by Ballpoint) [BETA]", "Proofpoint TAP", "Cisco Secure Firewall", "Ubika WAAP Gateway", "SonicWall Firewall", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Salesforce", "Okta", "HAProxy", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Gatewatcher AionIQ v102", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Broadcom Cloud Secure Web Gateway", "Microsoft Defender XDR / Microsoft 365 Defender", "MokN - Baits", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Azure Key Vault", "Cisco Duo Security", "Cisco Catalyst SD-WAN"]}, {"uuid": "a7d60e17-f963-4ed9-a74a-7b8a3b11e9be", "name": "FoggyWeb HTTP Default GET/POST Requests", "effort": "advanced", "data_sources": ["Packet capture", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "49b68c96-d5ff-495d-8dba-265737cd6295", "name": "CVE-2019-19781 Citrix NetScaler (ADC)", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects CVE-2019-19781 exploitation attempt against Citrix NetScaler (ADC), Application Delivery Controller and Citrix Gateway Attack.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "514fb7cb-0bf2-49b6-aae6-76950af34108", "name": "CVE-2020-1147 SharePoint", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detection of SharePoint vulnerability CVE-2020-1147.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "99154a31-7b4d-4e9e-9557-2b3c93e50111", "name": "1Password EPM Share Externally", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when an item from 1Password is shared externally.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)"], "intake-formats": ["1Password EPM"]}, {"uuid": "32d37ad6-c0c9-4f7b-842b-8e27faeccc68", "name": "ESET Protect Remote Action", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when different remote commands are performed on the same hostname is a short amount of time.", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["ESET Protect"]}, {"uuid": "3035b533-9def-4397-80db-fa98017b97e9", "name": "Scam Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a scam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "68c9b077-0a3f-4b95-975d-1080c67c6cc8", "name": "Dynamic DNS Contacted", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Process use of network", "Web logs"], "description": "Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "28ea5da5-c2e5-45ce-97ef-f7c3a7d0e3ce", "name": "Loss Of Parsing", "effort": "master", "data_sources": ["Application logs", "Data loss prevention", "Web logs", "Packet capture"], "description": "Spots the loss of events parsing by Sekoia.io, could indicate a loss of valid events flow. The strategy is to focus on less frequent event to limit the impact of the skewness in the count distribution law.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Disable or Modify Cloud Logs (T1562.008)", "defense-impairment - Network Boundary Bridging (T1599)"], "intake-formats": []}, {"uuid": "a653c3a6-88f7-4c48-906a-073650e02e77", "name": "Netskope Successful Brute Force On Protected Applications", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects successful brute force on Netskope protected applications after more than 5 failures in 5 minutes and one success for the same user name and application.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "8cd8c382-d07d-4890-bc9c-7b69a161eb1b", "name": "Download Files From Suspicious TLDs", "effort": "master", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "Detects download of certain file types from hosts in suspicious TLDs", "attack": ["initial-access - Phishing (T1566)", "execution - Exploitation for Client Execution (T1203)", "execution - User Execution (T1204)", "execution - Malicious Link (T1204.001)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "OCSF", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Cisco ESA", "F5 NGINX", "Netskope Transaction Events with AWS S3", "Ubika WAAP Gateway", "Imperva WAF", "Suricata", "F5 BIG-IP", "Zscaler Internet Access", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Fortinet FortiProxy", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f176e7f2-36d9-4c97-8516-5a089d0f4ac2", "name": "Malware Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a malware contained in the message and didn't delete it.", "attack": ["initial-access - Phishing (T1566)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Vade for M365"]}, {"uuid": "179b55ce-e3a3-4d42-828a-716ea469316b", "name": "Correlation Potential DNS Tunnel", "effort": "advanced", "data_sources": ["DNS records", "Network device logs", "Packet capture"], "description": "Detects domain name which is longer than 62 characters and requested at least 50 times in a 10 minutes range time. Long domain names are distinctive of DNS tunnels.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Fortinet FortiGate", "Akamai Guardicore On-Prem [BETA]", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "WatchGuard Firebox", "Hornetsecurity 365 Total Protection", "Squid", "Cisco ISE", "Unbound", "AWS WAF", "Apache HTTP Server", "CrowdStrike Falcon", "F5 BIG-IP", "Infoblox DDI", "Ivanti / Pulse Connect Secure", "PingFederate", "Postfix", "SonicWall Firewall", "VMware ESXi", "Cato Networks SASE", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "ArubaOS Switch", "Cloudflare Gateway Network", "Cloudflare WAF events", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Azure Windows", "AWS CloudFront", "HAProxy", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Barracuda CloudGen Firewall", "AWS GuardDuty", "Check Point NGFW", "Fortinet FortiMail", "BIND", "Cloudflare DNS logs", "CyberArk Digital Vault", "One Identity SPS", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Tanium", "Palo Alto NGFW", "Vectra Cognito Detect", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Nozomi CMC", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Akamai Guardicore Cloud [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "EfficientIP SOLIDServer DDI", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "Broadcom/Symantec Endpoint Security", "Forcepoint Secure Web Gateway", "Suricata", "Cloudflare Gateway DNS", "Thinkst Canary", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Trend Micro Apex One / Vision One endpoint", "WALLIX Bastion", "Cisco Umbrella DNS", "Windows", "Elastic Winlogbeat"]}, {"uuid": "2c4eb091-dd5e-4588-90e5-feff1c4530ae", "name": "CVE-2021-34473 ProxyShell Attempt", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects CVE-2021-34473 ProxyShell attempt against Microsoft Exchange Server, Remote Code Execution Vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "5857d57c-01a9-418c-9587-59cf193c29cb", "name": "Brute Force WALLIX Bastion", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects a successful login after many failed attempts by the same user.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["WALLIX Bastion"]}, {"uuid": "d8f47077-6dd5-466d-b876-95f5b9cd0bf5", "name": "Cloudflare Gateway DNS Query Blocked to Malicious Domain", "effort": "master", "data_sources": ["DNS records"], "description": "A DNS query to a domain categorized by Cloudflare Gateway as malicious was blocked by policy.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway DNS"]}, {"uuid": "aa89184c-aa79-4b47-bf83-49adf081cef7", "name": "Covenant Default HTTP Beaconing", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects potential Covenant communications through the user-agent and specific urls", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco ISE", "Cisco Meraki MX", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "NeroSwarm Honeypot", "SonicWall Firewall", "Sekoia.io activity logs", "VMware ESXi", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Broadcom Cloud Secure Web Gateway", "Cisco ESA", "Trellix Network Security", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "Microsoft Defender XDR / Microsoft 365 Defender", "AWS CloudFront", "HAProxy", "Gatewatcher AionIQ V103", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Cloudflare HTTP requests", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Microsoft 365 / Office 365", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary", "Cisco Catalyst SD-WAN", "Windows", "Proofpoint TAP"]}, {"uuid": "89da661c-e033-402f-99c6-54774aec1a57", "name": "Zscaler Internet Access Data Exfiltration", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects request of 100000000 bytes or more from Zscaler Internet Access monitored hosts.", "attack": ["exfiltration - Exfiltration Over Other Network Medium (T1011)"], "intake-formats": []}, {"uuid": "75c26b09-92bb-43d5-9343-0aaf00435df0", "name": "Trellix Network Security Threat Notified", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Trellix Network Security has detected a malicious traffic and raised an alert.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Trellix Network Security"]}, {"uuid": "dd1d4c5e-33ae-4936-88fa-479754f6a085", "name": "Anomaly Internal Ping", "effort": "master", "data_sources": ["Network intrusion detection system", "Network device logs"], "description": "Detects internal ping with uncomplete connection on internal network.", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": []}, {"uuid": "3979bffd-c0f1-4291-b082-4ad1612b8934", "name": "CVE-2019-0604 SharePoint", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Fortinet FortiGate", "Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "SonicWall Firewall", "PingFederate", "Sekoia.io activity logs", "Citrix NetScaler / ADC", "Olfeo SAAS", "Trellix Network Security", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "CEF", "Check Point NGFW", "Netskope Transaction Events with AWS S3", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "Palo Alto NGFW", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Forcepoint Secure Web Gateway", "Suricata", "Thinkst Canary"]}, {"uuid": "cbfaa3b3-f868-4483-a186-20e1b0e3d8ce", "name": "EvilProxy Phishing Domain", "effort": "intermediate", "data_sources": ["DNS records", "Web proxy"], "description": "Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Hornetsecurity 365 Total Protection", "AWS WAF", "Apache HTTP Server", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Juniper NGFW", "Sophos Analysis Threat Center", "One Identity SPS", "Cloudflare DNS logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "EfficientIP SOLIDServer DDI", "OCSF", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "Elastic Winlogbeat", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Cloudflare WAF events", "Fortinet FortiWeb", "Akamai WAF", "AWS CloudFront", "AWS GuardDuty", "BIND", "Zscaler Private Access [BETA]", "Nozomi CMC", "Aleph Alerts [BETA]", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Trapster (by Ballpoint) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "Unbound", "SonicWall Firewall", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "ArubaOS Switch", "HAProxy", "Gatewatcher AionIQ V103", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Sophos Firewall", "Netskope", "Cloudflare Access Requests", "Thinkst Canary", "Cisco NX-OS", "Windows", "Gatewatcher AionIQ v102", "Claroty xDome", "WatchGuard Firebox", "Squid", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Bitdefender GravityZone", "Broadcom Cloud Secure Web Gateway", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "MokN - Baits", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "642b2a3f-c267-470f-994b-3bc299820fb3", "name": "CVE-2018-13379 Fortinet Exploit", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the successful exploitation of the Fortinet FortiOS CVE-2018-13379. This CVE is one of the most exploited CVEs since 2018. It is exploited by APT threat actors as well as cybercriminals. The exploitation of this CVE lead an unauthenticated user to get full access to FortiOS system file through SSL VPN via specially crafted HTTP resource requests. The exploit read /dev/cmdb/sslvpn_websession file, that contains login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "OGO WAF", "Sophos Firewall", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "7daf89fd-56b5-4476-a606-e51b9c74537c", "name": "Correlation Fortigate Multi Alert From One Internal Ip", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "This rule detect an internal asset that targets a destination IP address with several threat", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "9128bd5c-90c0-4d1b-ac2d-a44a8e89e989", "name": "Cryptomining", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detection of domain names potentially related to cryptomining activities.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Broadcom Siteminder", "Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Veeam Backup", "Elastic AuditBeat Linux", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "ExtraHop Reveal(x) 360", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Github Audit logs", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "Wiz Threat Detections", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "1Password EPM", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "Akamai WAF", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "Aleph Alerts [BETA]", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cyberwatch Detection", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "Bitsight SPM", "Cisco IOS router and switch", "LockSelf LockPass/LockTransfer/LockFiles", "OpenSSH", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Stormshield SES", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "F5 Distributed Cloud", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Microsoft IIS", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "OpenVPN", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "Trend Micro Vision One Workbench Alerts [BETA]", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Darktrace Threat Visualizer", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Broadcom Cloud Secure Web Gateway", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "Trapster (by Ballpoint) [BETA]", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Trellix EDR [ALPHA]", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "Wiz Vulnerability Findings", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "ee13f15c-a65e-4a35-95b8-5db8171a9c94", "name": "1Password EPM Grant Access Vault", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when a group is granted access to a 1Password vault.", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["1Password EPM"]}, {"uuid": "b4e8a0e8-7805-4d88-9b6a-3c2d85cd6488", "name": "Systancia Cleanroom Brute Force", "effort": "master", "data_sources": ["Application logs"], "description": "Detects a successful brute force attempt to access systancia cleanroom web portal.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Systancia Cleanroom"]}, {"uuid": "07fbd0f1-c11f-43f3-a024-9df7826eca75", "name": "Netskope Potential Brute Force On Protected Applications", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects potential brute force on Netskope protected applications with more than 10 failures in 5 minutes for the same user name and application.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "bc988d38-a607-4cd6-b750-5c847f9b80ff", "name": "Authentication Impossible Travel", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects impossible travel when performing authentication from a source IP address, grouped by user name. This could require some alert filtering for some user generic accounts, and known IP address range. Microsoft / Office 365 format is not covered by this rule.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Zscaler Private Access [BETA]", "GraphAPI for Microsoft Entra ID / Azure AD"]}, {"uuid": "5a682e9b-a480-4f66-a3cd-1022dd2b85d6", "name": "Anomaly Internal RDP", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects uncompleted attempts to connect to a Remote Desktop Protocol (RDP) session.", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": []}, {"uuid": "042414b0-f364-4f01-b668-a3e2ad8e3261", "name": "Forcepoint Secure Web Gateway Compromised Websites", "effort": "master", "data_sources": ["Web proxy"], "description": "Forcepoint Secure Web Gateway has detected an access to an IP/domain tagged as compromised. Even if it has been blocked, it could be interesting to investigate the source asset.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": []}, {"uuid": "2f3b3e50-44a6-412a-8d64-b0c8ffb9461b", "name": "CVE-2019-2725 Oracle Weblogic Exploit", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the successful exploitation of a deserialization vulnerability in Oracle Weblogic Server, CVE-2019-2725. This vulnerability affects versions 10.X and 12.1.3 of WebLogic that have the components wls9_async_response.war and wls-wsat.war enabled. It is a remote code execution which can be exploited without authentication via HTTP. An HTTP response status code = 202, means the target is vulnerable, the analyst then has to look in depth to check if a webshell has been uploaded or something else has been done.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "e234c840-1617-4d46-a71f-78408e0c6c3b", "name": "Phishing Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a phishing attempt.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)", "initial-access - Spearphishing via Service (T1566.003)"], "intake-formats": ["Vade for M365"]}, {"uuid": "60efadd2-6bab-4bfe-8992-04c931e85ce8", "name": "Fortigate IPS High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Fortigate intrusion detection alert with high severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "2617c004-5564-44f7-92aa-caf2822b04f4", "name": "Cobalt Strike HTTP Default POST Beaconing", "effort": "advanced", "data_sources": ["Network device logs", "Packet capture"], "description": "Detects POST HTTP queries from known Cobalt Strike beacons (source code 4.3)", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Skyhigh Secure Web Gateway / McAfee Web Gateway", "HAProxy", "Cisco Umbrella Proxy", "Cisco Secure Firewall", "F5 NGINX", "Olfeo SAAS", "VMware vCenter", "Suricata", "Salesforce", "Squid", "Cisco Secure Web Appliance", "Azure Front Door", "Zscaler Internet Access", "F5 BIG-IP", "Apache HTTP Server", "Zscaler Private Access [BETA]"]}, {"uuid": "c0bbf8ed-a730-4165-b6d8-15990b437ea7", "name": "Scam Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a scam e-mail and didn't block it.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "f9fbe265-5b14-4913-aba0-b015bd44ab8c", "name": "Potential Azure AD Phishing Page (Adversary-in-the-Middle)", "effort": "intermediate", "data_sources": ["Web proxy", "SSL/TLS inspection"], "description": "Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Broadcom Siteminder", "Akamai Guardicore On-Prem [BETA]", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "WatchGuard Firebox", "Ubika WAAP Gateway", "F5 BIG-IP", "CrowdStrike Falcon", "Broadcom Edge Secure Web Gateway", "Ivanti / Pulse Connect Secure", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Bitdefender GravityZone", "Ubika Cloud Protector Next Generation Alerts", "Broadcom Cloud Secure Web Gateway", "Salesforce", "Cloudflare WAF events", "Kubernetes Audit Log", "Fortinet FortiWeb", "Akamai WAF", "AWS CloudFront", "HAProxy", "Gatewatcher AionIQ V103", "F5 Distributed Cloud", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Internet Access", "HarfangLab EDR", "Zscaler Private Access [BETA]", "Aleph Alerts [BETA]", "Stormshield SNS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Netskope", "Microsoft IIS", "OCSF", "Cisco Umbrella Proxy", "Kaspersky Endpoint Security", "F5 NGINX", "Ubika Cloud Protector Alerts [DEPRECATED]", "Thinkst Canary", "Cisco Catalyst SD-WAN", "Crowdstrike Falcon Telemetry", "Windows"]}, {"uuid": "47ecbf6c-4755-49f2-909e-5edbb6be9273", "name": "Spearphishing (CEO Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with CEO fraud thematic. Impersonation of CEO or senior management members requesting urgent money transfer, usually on an unknown RIB.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "574900df-fee9-47b9-9c67-9104670ac3e5", "name": "ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "ExtraHop Reveal(x) 360 raised an intrusion detection alert with critical severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["ExtraHop Reveal(x) 360"]}, {"uuid": "ff408161-d546-4b99-97ff-68c520b3c050", "name": "Nimbo-C2 User Agent", "effort": "intermediate", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Nimbo-C2 Uses an unusual User-Agent format in its implants.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Wiz Audit Logs", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "SonicWall Secure Mobile Access", "Github Audit logs", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "AWS CloudFront", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trapster (by Ballpoint) [BETA]", "Proofpoint TAP", "Cisco Secure Firewall", "Ubika WAAP Gateway", "SonicWall Firewall", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Salesforce", "Okta", "HAProxy", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Gatewatcher AionIQ v102", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Broadcom Cloud Secure Web Gateway", "Microsoft Defender XDR / Microsoft 365 Defender", "MokN - Baits", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Azure Key Vault", "Cisco Duo Security", "Cisco Catalyst SD-WAN"]}, {"uuid": "7d30918c-c12d-456b-9e52-b843891ff1c4", "name": "Download File On Cloud Storage Through Command Line", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects commonly used commands like curl or wget used to download files on a Cloud Storage URL like a Google Drive URL.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Crowdstrike Falcon Telemetry", "Palo Alto Cortex XDR (EDR)", "Windows", "Stormshield SNS", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e7bcb8c8-54a6-41b0-b7b9-9b2387b5f775", "name": "TOR Usage", "effort": "master", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs"], "description": "Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Netfilter", "Fortinet FortiGate", "Akamai Guardicore On-Prem [BETA]", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Cisco Secure Firewall", "Palo Alto Prisma access", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Clavister NGFW", "F5 BIG-IP", "Infoblox DDI", "Ivanti / Pulse Connect Secure", "Juniper Networks Switches", "NeroSwarm Honeypot", "Jizo AI / Sesame it NDR", "Stormshield SES", "Cato Networks SASE", "Nozomi Vantage", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Gatewatcher AionIQ V103", "Barracuda CloudGen Firewall", "AWS GuardDuty", "Check Point NGFW", "Palo Alto NGFW", "Nozomi CMC", "Sophos Firewall", "Stormshield SNS", "Akamai Guardicore Cloud [BETA]", "Suricata", "Cloudflare Gateway DNS", "NucleonEDR", "Broadcom/Symantec Endpoint Security", "Windows", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat"]}, {"uuid": "2613edbf-cb8d-4156-9b93-faf213af6f15", "name": "CVE-2020-5902 F5 BIG-IP Exploitation Attempts", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco Secure Firewall", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Squid", "F5 BIG-IP", "AWS WAF", "Apache HTTP Server", "Broadcom Edge Secure Web Gateway", "PingFederate", "Jizo AI / Sesame it NDR", "Citrix NetScaler / ADC", "Olfeo SAAS", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Salesforce", "HAProxy", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Netskope Transaction Events with AWS S3", "Zscaler Internet Access", "Azure Files", "HarfangLab EDR", "Fortinet FortiProxy", "OGO WAF", "Sophos Firewall", "Zscaler Private Access [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Google Cloud Load Balancing", "OCSF", "Azure Key Vault", "Cisco Umbrella Proxy", "F5 NGINX", "VMware vCenter", "Suricata", "Thinkst Canary"]}, {"uuid": "c5e347d4-aaa3-457a-af50-514d1f09d568", "name": "Potential Lemon Duck User-Agent", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example \"User-Agent: Lemon-Duck-[A-Z]-[A-Z]\".", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "NeroSwarm Honeypot", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Wiz Audit Logs", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "SonicWall Secure Mobile Access", "Github Audit logs", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Cloudflare WAF events", "Fastly Next-Gen WAF Audit Logs", "Kubernetes Audit Log", "Fortinet FortiWeb", "AWS CloudFront", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "Cloudflare HTTP requests", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trapster (by Ballpoint) [BETA]", "Proofpoint TAP", "Cisco Secure Firewall", "Ubika WAAP Gateway", "SonicWall Firewall", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Ubika Cloud Protector Next Generation Alerts", "Imperva WAF", "Salesforce", "Okta", "HAProxy", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Netskope Transaction Events with AWS S3", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Gatewatcher AionIQ v102", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "VMware ESXi", "Broadcom Cloud Secure Web Gateway", "Microsoft Defender XDR / Microsoft 365 Defender", "MokN - Baits", "OGO WAF", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "Azure Key Vault", "Cisco Duo Security", "Cisco Catalyst SD-WAN"]}, {"uuid": "9ca720e3-028b-430f-9311-1985c9a9c719", "name": "Sekoia.io Endpoint Agent Stopped", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects when the Sekoia.io Endpoint Agent is stopped. This could be an attacker impairing defenses to evade detection.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": []}, {"uuid": "5f1bb380-00f3-498c-9ce0-8b9a4e667e4a", "name": "Sekoia.io Endpoint Agent Inactivity", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects multiple hostnames with inactived Sekoia.io Endpoint Agent for at least one hour.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": []}, {"uuid": "0a265021-eaf4-4721-b828-6c58ac5ee6ad", "name": "Sekoia.io Endpoint Agent Uninstalled", "effort": "advanced", "data_sources": ["Network device logs"], "description": "Detects when the Sekoia.io Endpoint Agent is uninstalled. This could be an attacker impairing the defenses.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Sekoia.io Endpoint Agent"]}, {"uuid": "070fbb0f-6821-46d2-b42a-84f82777d3bf", "name": "Login Brute-Force Successful On SentinelOne EDR Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Azure Windows", "Fortinet FortiGate", "SentinelOne EDR", "Microsoft Entra ID / Azure AD", "AWS CloudTrail", "Microsoft Defender XDR / Microsoft 365 Defender", "Microsoft Intune", "Palo Alto Prisma access", "WithSecure Elements", "Postfix", "Azure Database for MySQL", "Palo Alto NGFW", "F5 BIG-IP", "Apache HTTP Server", "Fortinet FortiProxy", "Cisco Umbrella DNS", "Windows", "Elastic Winlogbeat"]}, {"uuid": "b7a2b0c8-cc8f-4f4a-948c-199ad4833176", "name": "Login Failed Brute-Force On SentinelOne EDR Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and failed every time.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "cef8d6f5-2b8f-4335-b05f-b854d1884ff6", "name": "Cybereason EDR Malware Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Cybereason EDR telemetry has detected a malware", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Cybereason EDR"]}, {"uuid": "1185d763-c341-4cf8-af9f-8475acb8c331", "name": "Sysmon Windows File Block Executable", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "Sysmon has blocked an executable file from being written to the disk. This could be a malicious binary to investigate.  ", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Azure Windows", "Sekoia.io Endpoint Agent", "WithSecure Elements", "HarfangLab EDR", "Stormshield SES", "Windows", "Elastic Winlogbeat"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Fortinet FortiGate", "Akamai Guardicore On-Prem [BETA]", "Gatewatcher AionIQ v102", "Cisco Secure Firewall", "Claroty xDome", "Cloudflare Gateway HTTP", "Palo Alto Prisma access", "WatchGuard Firebox", "Hornetsecurity 365 Total Protection", "Squid", "Cisco ISE", "AWS WAF", "Apache HTTP Server", "CrowdStrike Falcon", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "PingFederate", "Postfix", "SonicWall Firewall", "VMware ESXi", "Cato Networks SASE", "Imperva WAF", "Delinea PRA", "Cisco Secure Web Appliance", "ArubaOS Switch", "Cloudflare Gateway Network", "Cloudflare WAF events", "Retarus Email Security", "Azure Windows", "AWS CloudFront", "HAProxy", "Juniper NGFW", "SentinelOne Singularity Identity", "CEF", "Check Point NGFW", "AWS GuardDuty", "Fortinet FortiMail", "One Identity SPS", "Sophos Analysis Threat Center", "Windows", "CyberArk Digital Vault", "Zscaler Internet Access", "Palo Alto NGFW", "Vectra Cognito Detect", "Zscaler Private Access [BETA]", "Fortinet FortiProxy", "Nozomi CMC", "OGO WAF", "Sophos Firewall", "Akamai Guardicore Cloud [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "OCSF", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Thinkst Canary", "Cisco NX-OS", "WALLIX Bastion", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Vade Cloud", "Elastic Winlogbeat"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Juniper Networks Switches", "NeroSwarm Honeypot", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Cloudflare Gateway Network", "Azure Windows", "Juniper NGFW", "One Identity SPS", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Cybereason EDR activity", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "Olfeo SAAS", "Radware DefensePro [Beta]", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "AWS GuardDuty", "Zscaler Private Access [BETA]", "Nozomi CMC", "Wiz Issues", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Trend Micro Apex One / Vision One endpoint", "Broadcom/Symantec Endpoint Security", "Stormshield SES", "Trapster (by Ballpoint) [BETA]", "Cisco IOS router and switch", "Trellix EPO [ALPHA]", "OpenSSH", "Trellix ePO (on-prem)", "Microsoft Defender XDR (Graph API) [BETA]", "WithSecure Elements", "Akamai Guardicore On-Prem [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "Clavister NGFW", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Cato Networks SASE", "Nozomi Vantage", "CyberArk Audit Logs", "ArubaOS Switch", "HAProxy", "Gatewatcher AionIQ V103", "CEF", "Check Point NGFW", "F5 Distributed Cloud", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Sophos Firewall", "Netskope", "Cisco Umbrella IP", "Thinkst Canary", "Cisco NX-OS", "NucleonEDR", "Windows", "OpenLDAP", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Nanocorp [BETA]", "Palo Alto Cortex XDR (EDR)", "Microsoft Defender XDR / Microsoft 365 Defender", "AWS VPC Flow logs", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "CyberArk Digital Vault", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Network Watcher Flow Logs", "Cisco Catalyst SD-WAN", "WALLIX Bastion", "Vade Cloud"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)", "command-and-control - Application Layer Protocol (T1071)", "initial-access - Phishing (T1566)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "Hornetsecurity 365 Total Protection", "Google Cloud Audit Logs", "GraphAPI for Microsoft Entra ID / Azure AD", "AWS WAF", "Apache HTTP Server", "Juniper Networks Switches", "NeroSwarm Honeypot", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Cloudflare Gateway Network", "Azure Windows", "Proofpoint PoD", "Juniper NGFW", "Vade for M365", "Sophos Analysis Threat Center", "Wiz Audit Logs", "One Identity SPS", "Cloudflare DNS logs", "Google VPC Flow Logs", "SentinelOne Cloud Funnel 2.0", "Tanium", "Zscaler Internet Access", "Forcepoint Next-Generation Firewall", "Vectra Cognito Detect", "HarfangLab EDR", "Fortinet FortiProxy", "Stormshield SNS", "Microsoft 365 / Office 365", "EfficientIP SOLIDServer DDI", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cloudflare Gateway DNS", "Crowdstrike Falcon Telemetry", "SonicWall Secure Mobile Access", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic Winlogbeat", "Systancia Cleanroom", "Cloudflare Audit logs", "Watchguard EPDR", "Cisco ISE", "ManageEngine ADAudit Plus", "CrowdStrike Falcon", "Infoblox DDI", "Postfix", "PingFederate", "Google Workspace / ChromeOS", "Olfeo SAAS", "Rubycat PROVE IT", "Radware DefensePro [Beta]", "Apache SpamAssassin", "Cloudflare WAF events", "Kubernetes Audit Log", "Trellix Advanced Threat Defense", "Fortinet FortiWeb", "TEHTRIS EDR", "AWS CloudFront", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "AWS GuardDuty", "BeyondTrust PRA Team [BETA]", "Cloudflare HTTP requests", "BIND", "Ubika Cloud Protector Traffic [DEPRECATED]", "Zscaler Private Access [BETA]", "Nozomi CMC", "ISC DHCP", "Akamai Guardicore Cloud [BETA]", "Lacework Cloud Security", "Sekoia.io Endpoint Agent", "Cisco Umbrella Proxy", "Varonis Data Security", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Cisco Umbrella DNS", "Broadcom/Symantec Endpoint Security", "LockSelf LockPass/LockTransfer/LockFiles", "Cisco IOS router and switch", "Proofpoint TAP", "OpenSSH", "Stormshield SES", "Microsoft Defender XDR (Graph API) [BETA]", "Trapster (by Ballpoint) [BETA]", "Akamai Guardicore On-Prem [BETA]", "Forcepoint Management Server", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "IBM AIX", "PRODAFT USTA Cyber Threat Intelligence Platform", "Clavister NGFW", "Unbound", "BeyondTrust Privileged Remote Access Syslog [BETA]", "SonicWall Firewall", "Mimecast Email Security", "ESET Protect", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Azure Network Watcher [DEPRECATED]", "Citrix NetScaler / ADC", "Microsoft Always On VPN", "Cato Networks SASE", "Cisco ESA", "Nozomi Vantage", "Trellix EPO [ALPHA]", "Imperva WAF", "Ubika Cloud Protector Next Generation Alerts", "CyberArk Audit Logs", "ArubaOS Switch", "Salesforce", "Okta", "HAProxy", "Olfeo secure web gateway", "Gatewatcher AionIQ V103", "AWS CloudTrail", "CEF", "WatchGuard Endpoint Security / Panda Security Aether", "Check Point NGFW", "F5 Distributed Cloud", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Cloudflare Access Requests", "Cisco Umbrella IP", "Thinkst Canary", "Microsoft 365 Message Trace [DEPRECATED]", "Cisco NX-OS", "NucleonEDR", "Windows", "Jumpcloud Directory Insights", "OpenLDAP", "Keycloak Events", "Netfilter", "Seckiot Citadelle", "Gatewatcher AionIQ v102", "Ekinops OneOS", "Claroty xDome", "RSA SecurID", "WatchGuard Firebox", "FreeRADIUS", "Squid", "Fastly Next-Gen WAF Alerts", "Cisco Meraki MX", "F5 BIG-IP", "Ivanti / Pulse Connect Secure", "Microsoft 365 Message Trace (Graph API)", "Jizo AI / Sesame it NDR", "VMware ESXi", "Trellix ePO (on-prem)", "Microsoft Intune", "Bitdefender GravityZone", "Nanocorp [BETA]", "Azure Database for MySQL", "Palo Alto Cortex XDR (EDR)", "Retarus Email Security", "Microsoft Defender XDR / Microsoft 365 Defender", "AWS VPC Flow logs", "MokN - Baits", "SentinelOne Singularity Identity", "Barracuda CloudGen Firewall", "WithSecure Elements", "CyberArk Digital Vault", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Azure Activity Logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault", "IBM iSeries", "Azure Network Watcher Flow Logs", "Ubika Cloud Protector Alerts [DEPRECATED]", "Cisco Duo Security", "Cisco Catalyst SD-WAN", "WALLIX Bastion"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Fortinet FortiGate", "Cloudflare Gateway HTTP", "Netskope Transaction Events [DEPRECATED]", "AWS WAF", "Apache HTTP Server", "Sekoia.io activity logs", "Trellix Network Security", "Delinea PRA", "Cisco Secure Web Appliance", "Azure Front Door", "Lookout Mobile Endpoint Security", "Proofpoint PoD", "Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Zscaler Internet Access", "HarfangLab EDR", "Fortinet FortiProxy", "Microsoft 365 / Office 365", "Google Cloud Load Balancing", "OCSF", "VMware vCenter", "Suricata", "Cisco ISE", "Broadcom Edge Secure Web Gateway", "PingFederate", "Olfeo SAAS", "Fastly Next-Gen WAF Audit Logs", "TEHTRIS EDR", "BeyondTrust Privileged Remote Access Session", "Microsoft Entra ID / Azure AD", "BeyondTrust PRA Team [BETA]", "Zscaler Private Access [BETA]", "Cisco Umbrella Proxy", "F5 NGINX", "Forcepoint Secure Web Gateway", "Check Point Harmony Email & Collaboration Suite Security", "Trend Micro Apex One / Vision One endpoint", "Stormshield SES", "Broadcom/Symantec Endpoint Security", "Cisco IOS router and switch", "Proofpoint TAP", "Microsoft Defender XDR (Graph API) [BETA]", "Cisco Secure Firewall", "Palo Alto Prisma access", "Ubika WAAP Gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "SonicWall Firewall", "Mimecast Email Security", "Citrix NetScaler / ADC", "Cato Networks SASE", "Cisco ESA", "Imperva WAF", "Salesforce", "HAProxy", "Olfeo secure web gateway", "CEF", "Check Point NGFW", "Fortinet FortiMail", "Netskope Transaction Events with AWS S3", "Palo Alto NGFW", "Azure Files", "Sophos Firewall", "Netskope", "Thinkst Canary", "Windows", "Sophos EDR", "Squid", "Cisco Meraki MX", "F5 BIG-IP", "Jizo AI / Sesame it NDR", "VMware ESXi", "Bitdefender GravityZone", "Microsoft Defender XDR / Microsoft 365 Defender", "OGO WAF", "Trend Micro Cloud One / Deep Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Azure Application Gateway", "SentinelOne EDR", "Azure Key Vault"]}]
\ No newline at end of file
+[{"uuid": "ec868df0-4008-4ca7-8c2c-fd1caaba0e96", "name": "Microsoft 365 (Office 365) MCAS New Country", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies a sign-in from a country where it has never connected. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "1c5095af-65a4-4b69-bb61-cc092a482ea9", "name": "Login Brute-Force On Sekoia.io", "effort": "intermediate", "data_sources": ["Authentication logs", "Web logs"], "description": "Detects successful access to Sekoia.io after several failure.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "07050c26-0b86-4538-9f48-f0383fdac76f", "name": "Okta Application deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "An application has been delete on Okta SSO.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "47f618bc-fda5-4ebb-bf6b-ff5762feb8e2", "name": "AWS CloudTrail Route 53 Domain Transfer Lock Disabled", "effort": "elementary", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when the transfer lock feature is disabled on a domain name handled by AWS Route 53 service.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "a7c1c8ff-5b38-48d1-b536-4e6a177ce098", "name": "Microsoft Intune Non-Compliant Device", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects Microsoft Intune reporting a device in a non-compliant state. This can indicate either a misconfiguration in Intune or a change of configuration on said device.", "attack": ["defense-impairment - Subvert Trust Controls (T1553)"], "intake-formats": ["Microsoft Intune"]}, {"uuid": "f8d63e1a-dc75-4dc4-b1de-4eee809a3f72", "name": "Microsoft 365 Suspicious Inbox Rule", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Business Email Compromise threat actors often create inbox rules to forward, hide, or delete emails containing sensitive information. This rule detects common caracteristics of malicious inbox rules.", "attack": ["stealth - Email Hiding Rules (T1564.008)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "12d168ad-9a14-44b3-adbe-0d257c10f156", "name": "AWS CloudTrail Disable MFA", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects a user disabling the multi factor authentication mechanism for its account. It could be a sign of malicious activity.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "8bca9464-72fa-4f49-9905-79f498892d2d", "name": "AWS CloudTrail Important Change", "effort": "advanced", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects disabling, deleting and updating of a Trail source which could be done by some attackers trying to masquerade their activity.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "17abe9fb-a9aa-4468-9048-8e5d2d55ee3e", "name": "Sekoia.io EICAR Detection", "effort": "master", "data_sources": ["Process monitoring", "Web logs"], "description": "Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "f0ce355f-714f-4128-8148-28cc6651975b", "name": "Zscaler ZIA Malicious Threat", "effort": "master", "data_sources": ["Web proxy"], "description": "Zscaler Internet Access has detected a network traffic as malicious", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Zscaler Internet Access"]}, {"uuid": "a94b5441-9932-4662-99ed-2d5c404c6f86", "name": "Zscaler ZIA Suspicious Threat", "effort": "master", "data_sources": ["Web proxy"], "description": "Zscaler Internet Access has detected a network traffic as malicious", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Zscaler Internet Access"]}, {"uuid": "f5f5f437-faf4-4183-9740-52360a1f96eb", "name": "Cisco ESA Suspicious Email With Attachment", "effort": "advanced", "data_sources": ["Email gateway"], "description": "Detects an email with an attachment, from a sender tagged as suspect, detected by either the Antivirus or the Advanced Malware Protection (AMP) engine and delivered to the recipient", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": []}, {"uuid": "039d0efd-7d82-4cd7-8252-3ff6de4076df", "name": "Password Change Brute-Force On AzureAD", "effort": "intermediate", "data_sources": ["Authentication logs", "Azure activity logs"], "description": "A change of password has failed on Azure Active Directory, 5 times for the same user", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "81adec32-2606-4092-93d9-a84b42d2cf20", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Rockstar 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "870fdc2e-9364-4537-88e9-be116da3933e", "name": "GitHub Outside Collaborator Detected", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects an outside collaborator being removed or having its permissions changed.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "9a0333c6-e022-482c-9c38-13bf6ab2335b", "name": "Okta Suspicious Use of a Session Cookie", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": []}, {"uuid": "616298a7-72e5-44f2-8c46-2d18cd142d65", "name": "AWS CloudTrail IAM DeleteSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user deletes a SAML provider, which could be performed by attackers to cover their tracks.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "cacac10f-f70d-4395-8b24-61aa4ec21024", "name": "Google Cloud Audit Logs Email Forwarding", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when an out of domain email forwarding is enabled on Google Cloud.", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": []}, {"uuid": "64e945f5-930a-40c8-b7ae-a3ddaae78171", "name": "Google Cloud Audit Logs Application Added", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when an application is added to Google Workspace Domain. This should be an expected change made by an administrator and need to be checked.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "6922fa37-8879-4ecf-8722-ddeaf084b8a7", "name": "Microsoft 365 (Office 365) MCAS Detection Velocity", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "927c0cee-7f36-43b3-b2a5-4cc98cb152ef", "name": "Microsoft 365 (Office 365) MCAS Repeated Delete", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a user has deleted an unusually large volume of files. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "40e9543e-03a2-4ccf-a4c7-d047bae5ceba", "name": "Mimecast Email Security Spam Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects when a spam has been detected by Mimecast and was not denied.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "aefba8bf-0365-4030-8cec-2742e616a60e", "name": "Okta Application modified", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "An application has been updated on Okta SSO.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "9dd01ce8-9e68-4081-9802-9367939bc889", "name": "AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the update of a ThumbPrint from an identity provider that supports OpenID Connect. This could be a sign of an attacker adding a trusted certificate.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "812cabf9-eefc-471a-89d5-35690f55aad1", "name": "Okta Network Zone Modified", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "d65a53d5-d578-472d-959e-1b2d4aad4963", "name": "Login Brute-Force Successful On Jumpcloud Workstation", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Jumpcloud monitored workstations (windows, linux, mac) and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": []}, {"uuid": "a5d1ad65-5930-478f-bf60-f46b54d4b5bf", "name": "WAF Block Rule", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detects when one of WAF rule blocked an HTTP request. This rule often needs fine tuning according to the environment.", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["F5 Distributed Cloud", "Akamai WAF", "Ubika WAAP Gateway", "Imperva WAF", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Elastic AuditBeat Linux", "Palo Alto NGFW", "Cloudflare WAF events", "Kaspersky Endpoint Security", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "Bitdefender GravityZone", "AWS WAF", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Elastic Winlogbeat"]}, {"uuid": "53dc15d0-5b9e-4997-b709-fc936283fc5a", "name": "Google Workspace User Suspended", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "7205aead-a9c5-4912-b827-76507f0030f2", "name": "AWS CloudTrail EC2 DeleteKeyPair", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a specific key pair is deleted. This means the public key was removed from EC2.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "532f1fed-e644-42f9-9b6b-89bbee429f06", "name": "Veeam Backup & Replication Malware Detection", "effort": "master", "data_sources": ["Application logs"], "description": "Veeam Backup & Replication has detected some malware related activity", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": []}, {"uuid": "442b24d1-b252-4376-8694-5469f3aab2c7", "name": "Google Cloud Audit Logs Attack Warning", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify an attack warning such as the famous \"Government-backed attack\".", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "bd6d36e7-71eb-45f0-a5a7-888d882510fc", "name": "Microsoft Entra ID (Azure AD) Threat Intelligence", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "3fdb7fa9-18c3-487a-b6cb-19bc9f035458", "name": "Microsoft 365 (Office 365) Potential Ransomware Activity Detected", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "7afcebb0-1110-436b-bf54-fdd992053836", "name": "Microsoft 365 (Office 365) Anti-Phishing Policy Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when the anti-phishing policy is removed from Microsoft 365 (Office 365). By default, Microsoft 365 (Office 365) includes built-in features that help protect users from phishing attacks. This policy specifies the phishing protections to enable or disable, and the actions to apply options.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "4c0d67c1-3dc4-4d44-9fc0-ab13cdc2dba1", "name": "Microsoft 365 (Office 365) Safelinks Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a safelink rule has been deleted in Microsoft 365 (Office 365). Safe Links is a feature in Defender for Microsoft 365 (Office 365) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "b8520ae3-b5e0-4172-ab2d-b0bef666d661", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Greatness.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "65a6a2d8-84f9-49d3-bbc4-ae8dcd8fca40", "name": "Entra ID Password Compromised Via Seamless SSO Credential Testing", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Detects a sign-in using the Entra ID Seamless SSO `usernamemixed` endpoint. This endpoint is rarely used legitimately, and often abused by credential testing tools. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "c4521529-9b6f-4c3f-8e3f-022e34ce1262", "name": "Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "A user has attempted to login several times (brute-force) on AzureAD and failed every time, all from the same source IP address and in a timerange of 5 minutes.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "ccaac5a8-a84a-4a80-bf87-82a6fa7223e8", "name": "AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the addition of a Client ID to an existing identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "dc30a4b1-9340-460c-a9b8-5587017ea395", "name": "Okta User Logged In From Multiple Countries", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events from multiple countries.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": ["Okta"]}, {"uuid": "8bf4df86-d940-4bae-a05e-5ad01f32c521", "name": "AWS CloudTrail EC2 CreateKeyPair", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a key pair is created. Usually, SendSSHPublicKey is used afterwards to push the created key to an EC2 instance in order to be able to establish a connection to that instance.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "0d8bdb95-ab31-419f-b3f3-9fa68a1ce4ef", "name": "Microsoft Entra ID (Azure AD) Anonymous IP", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins from a risky IP address, for example, using an anonymous browser or VPN. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "c203de71-9400-46b6-98de-0cf2a6cae93e", "name": "Microsoft 365 (Office 365) Malware Uploaded On SharePoint", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft 365 (Office 365) identifies a malicious file uploaded to SharePoint. Attackers can use this method to propagate through the network.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "9995ef80-7d28-445c-b147-1199b95330e9", "name": "GitHub High Risk Configuration Disabled", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects a configuration being disabled in GitHub. It detects only configuration judged as highly risky if disabled. An organization should adapt this rule according to its environment.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "8bc4144a-14fd-4c9f-ba40-7085d4642057", "name": "Okta Phishing Detection with FastPass Origin Check", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Okta's FastPass prevents known phishing sites.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Okta"]}, {"uuid": "8a0cef5a-c899-41f4-8532-474c0bf64e10", "name": "WAF Correlation Block actions", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple block actions (more than 30) triggered by the same source by WAF detection rules", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Palo Alto NGFW", "OGO WAF", "Jumpcloud Directory Insights", "Cloudflare WAF events", "Sophos Firewall", "Imperva WAF", "Bitdefender GravityZone", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "AWS WAF", "Forcepoint Next-Generation Firewall", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "F5 Distributed Cloud", "Elastic Winlogbeat", "Ubika WAAP Gateway"]}, {"uuid": "c9cd98ce-bf53-47ae-9d1c-6effca12977b", "name": "AWS CloudTrail EC2 Security Group Modified", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an AWS EC2 security group has been modified", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "a0829df9-7790-4041-a617-001f40966d40", "name": "Microsoft 365 (Office 365) Safe Attachment Rule Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when the safe attachment rule has been deleted in Microsoft 365 (Office 365). Safe Attachments is a feature in Microsoft Defender for Microsoft 365 (Office 365) that opens email attachments in a special hypervisor environment to detect malicious activity.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "333f6e95-0770-4ea6-a049-3c01dbc72a58", "name": "Microsoft Intune Policy Change", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects edits, deletions or creations made to an organization Microsoft Intune policies.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Microsoft Intune"]}, {"uuid": "37716900-c748-40aa-8701-7404809714fe", "name": "Google Workspace Suspicious Login", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a suspicious login reported by google.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "753434e1-1675-4492-90c6-d13ebcb5e07f", "name": "Okta MFA Brute-Force Successful", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Okta and succeeded to login by spamming MFA.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Okta"]}, {"uuid": "5270ef3e-c2c4-4a8a-9718-f53a9ad501fb", "name": "Microsoft 365 (Office 365) Anti-Phishing Rule Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects the deactivation of the anti-phishing rule from Microsoft 365 (Office 365). The anti-phishing rule specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "20decb09-128e-4c44-8327-7c5e5ce398c0", "name": "Google Workspace App Script Scheduled Task", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a scheduled task is launched by Google App Script. This product is used to create scripts and integrate applications within Google Workspace.", "attack": ["privilege-escalation - Scheduled Task/Job (T1053)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "b0e3d634-b04a-4e32-b1ce-4d16b92c835f", "name": "WAF Correlation Block Multiple Destinations", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple block actions (more than 10) by the Web Application Firewall (WAF) triggered by the same source to mutliple destinations", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Palo Alto NGFW", "Palo Alto Prisma access"]}, {"uuid": "34e75117-a852-45a9-891a-46738d6b0e66", "name": "Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "An IP address performed several failed logins on multiple users to then have a successful login on one of them. Note that even if the sign-in was blocked by MFA (error 50074/50076/50158) or conditional access (error 50097/53003), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "b3fb4572-21a6-4cce-8265-8b2e5436819e", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Gabagool. The `filter_password_spraying` exclusion corresponds to a password spraying tool which is already detected by the rule `Entra ID Password Compromised By Known Credential Testing Tool`.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "14e75730-c79b-4416-a503-6f7c30757053", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (HoneySecurity / HoneyStorm)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit HoneySecurity / HoneyStorm.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "e500e9c8-5ebb-4a27-9e03-aaa17d41850e", "name": "Google Cloud Audit Logs Account Suspended", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify a user account suspended for a suspicious activity", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "81d3c834-1b7e-4ba2-83a4-839dcec6a875", "name": "Google Cloud Audit Logs Trusted Domain Added", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when a domain name is added to Google Workspace Trusted Domain. This could be used by an attacker to bypass some security controls or just be a legit admin action.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": []}, {"uuid": "2c86166a-31ba-430b-8d7f-671bb9009a95", "name": "Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "b4347866-ec0c-441a-bb0d-3e954e404143", "name": "Jumpcloud Policy Modified", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when a Jumpcloud policy is modified.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "41658b1d-e33d-4e67-8eab-2cad73d0e101", "name": "Varonis Many File Created and Deleted", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of file created and deleted on the same host. It is a typical ransomware behavior.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "5b5c609b-c197-41e2-a7ba-be795acb7f11", "name": "Sign-In Via Known AiTM Phishing Kit", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Netskope", "CyberArk Audit Logs", "Google Workspace / ChromeOS", "Cloudflare Access Requests", "Salesforce", "Cisco Duo Security", "GraphAPI for Microsoft Entra ID / Azure AD", "Palo Alto NGFW", "Fortinet FortiWeb", "Zscaler Internet Access", "FreeRADIUS", "Fortinet FortiMail", "Wiz Audit Logs", "Cato Networks SASE", "ArubaOS Switch", "Microsoft Entra ID / Azure AD", "MokN - Baits", "WatchGuard Firebox", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Okta"]}, {"uuid": "fe43cc23-9144-436c-8b6b-b3f5ea08ccfa", "name": "Google Workspace Email Forwarding", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a user enables email forwarding out of the domain", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "17b4526e-145a-4c2f-a246-dc8e2160d2d9", "name": "AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2", "effort": "elementary", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when AWS CloudTrail detected an AWS Access Key that was compromised, and then quarantined by AWS. This could indicate for instance that the private key was found on a GitHub public repository.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "6d0ee04c-801f-4665-8e97-f4f8eef4bf83", "name": "GitHub Delete Action", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects a Delete/Destroy action in GitHub audit logs.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "53b00fd6-5715-44eb-9f67-84d729f65bc8", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with an impossible device shift characteristic of the adversary-in-the-middle phishing kit Sneaky 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "8eacf827-1db3-4a0d-ab10-1283c6b28b99", "name": "AWS CloudTrail Remove Flow logs", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is removing Flow Logs to cover their tracks", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Disable or Modify Cloud Logs (T1562.008)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "2fa62b41-cfc8-42b0-aef0-e9bc1448004a", "name": "Varonis Many Accounts Disabled", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of account disabled.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "b39834d4-e1e4-4b75-bbba-ff898c3cc52a", "name": "Bitsight SPM Minor Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a minor vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "5dddb77c-da3a-4430-9ff1-143f2c329c2a", "name": "AWS CloudTrail EC2 CreateVPC", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a VPC is created.", "attack": ["defense-impairment - Create Cloud Instance (T1578.002)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "89428c24-f126-4bea-b337-0bc97aadccf9", "name": "Google Workspace MFA changed", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when the settings for the MFA are modified.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "28aed613-fe39-4460-a6b0-30e27cc24042", "name": "Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Low or Informational severity alert triggered an automated investigation, and remediation actions need to be approved or conducted. Low and Informational alerts include when an email is reported by a user, or when a malicious email is removed after delivery.", "attack": ["initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "ecae3c71-2d85-4150-a952-cee547e15913", "name": "Google Workspace User Creation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a new user is created.", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "d3af04ae-74b5-47cc-a2b4-87e4a22d1d9d", "name": "Microsoft 365 Device Code Authentication", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Authentication via a device code is designed for use with input constrained devices. This method can however be abused, particularly in social engineering attacks. Whitelisting based on the organisation's practices is likely required to make this rule useful (e.g. excluding the public IP ranges of the organisation, excluding authentications attempt from managed devices, etc.). Note: if you collect Entra ID SignInLogs, the rule \"Microsoft Entra ID (Azure AD) Device Code Authentication\" is a better equivalent to this rule.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "6d9f16f3-10bd-4ca3-b9b8-9713338c827c", "name": "AWS CloudTrail Config DeleteConfigurationRecorder", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when the Configuration Recorder was deleted. The configuration recorder is used to detect changes in your resource configurations and capture these changes as configuration items.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "fb75b30e-f2ca-4f98-9910-f257578f2eb3", "name": "Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure", "effort": "master", "data_sources": ["Application logs", "Authentication logs"], "description": "Detects self-service password reset in failure for various reasons (except licence or policy ones)", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": []}, {"uuid": "f0da5b1b-4853-4aab-a3ed-24d0c270827a", "name": "Google Workspace Blocked Sender", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a user is blocked by google workspace.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "3e33325c-31ac-458c-a9e3-ce07023db017", "name": "Google Cloud Audit Logs Drive Ownership Transferred", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when Drive/Docs user files ownership is transferred. The legit use case is when a user is being removed, but this could also be abused by an attacker for exfiltration.", "attack": ["exfiltration - Transfer Data to Cloud Account (T1537)"], "intake-formats": []}, {"uuid": "014a0531-10e2-48e7-a46b-9ee7e95da073", "name": "Bitsight SPM Moderate Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a moderate vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "3a9e3a24-d87b-45b6-ad28-056318849655", "name": "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses", "effort": "intermediate", "data_sources": ["Office 365 account logs"], "description": "Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "e62e52e4-31a2-494a-8d4a-d84dc84ae6b0", "name": "AWS CloudTrail KMS CMK Key Deleted", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a CMK is deleted or scheduled for deletion", "attack": ["stealth - File Deletion (T1070.004)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "22bada16-4399-4113-940d-5397cb9b8613", "name": "Entra ID Password Compromised By Known Credential Testing Tool", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in that has a correlation ID known to be used by malicious credential testing scripts. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD", "GraphAPI for Microsoft Entra ID / Azure AD"]}, {"uuid": "855ab5ba-b2d1-4507-8c61-7095d9ff1801", "name": "AWS CloudTrail ECS Cluster Deleted", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is destroying an AWS ECS Cluster", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)", "impact - Data Destruction (T1485)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "ebc07d97-ea80-4238-8a7f-e3f63ce5edba", "name": "Mimecast Email Security Virus Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects when a virus signature has been detected by Mimecast and was not denied.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "036ebf9a-b92f-42c7-a609-246983d82126", "name": "AWS CloudTrail IAM Policy Changed", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects change on AWS IAM Policy", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d84d4d16-bfb2-445a-a7ce-438818caf398", "name": "Mimecast Email Security Malicious QRCode Not Denied", "effort": "master", "data_sources": ["Email gateway"], "description": "Detects a malicious qrcode in an email not denied by Mimecast.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Mimecast Email Security"]}, {"uuid": "6e7f91bf-ee3f-41ec-807a-e474336a8b52", "name": "AWS CloudTrail IAM Failed User Creation", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects an attemp to create a user account where the result is an explicit denied.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "eb6b30af-c032-4678-a3c2-8c91a539ba42", "name": "Microsoft 365 (Office 365) Malware Filter Policy Removed", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a malware policy has been deleted in Microsoft 365 (Office 365). A malware filter policy is used to alert administrators that an internal user sent a message that contained malware.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "9265fe9f-ffca-4f65-a14e-a87ac62f47b2", "name": "Okta API Token created", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "A new API Token has been created on Okta SSO.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Okta"]}, {"uuid": "b79476d2-2145-446a-8f7c-9ed203269853", "name": "Microsoft Entra ID (Azure AD) Token Issuer Anomaly", "effort": "advanced", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that The SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "0694f03f-bd58-4a63-ad3e-20597f865490", "name": "Microsoft 365 Email Forwarding To Consumer Email Address", "effort": "intermediate", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (most common consumer email services).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "3a911dd8-9c46-47b5-965b-17244558bbb0", "name": "Google Workspace Bypass 2FA", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when user tries to bypass the 2FA.", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "45e34544-318d-4b72-bf86-57a803c618fc", "name": "AWS CloudTrail IAM ChangePassword", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user wants to change its password.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "7c196e24-8e50-4b1b-975f-edf08cd95cb6", "name": "Microsoft Entra ID (Azure AD) Password Spray", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "eeb8d983-81df-4e23-95a1-9b67a9701364", "name": "AWS CloudTrail IAM UpdateSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user updates a SAML provider. Attackers could perform that to be stealthy by adding a third-party connection into an existing SAML provider.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "fdb670c5-8d34-4c0f-af21-6edc4387d6d3", "name": "Okta Network Zone Deactivated", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "46961b65-e47f-41db-959a-ea612270d46d", "name": "AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is pushing an SSH Public Key to an EC2 instance. Then he can establish a serial connection to the console using SSH.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d9fe0599-253a-49a2-b9df-7f41b8e27613", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit Tycoon 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "37122f02-7521-4633-95ab-3dbd05fbffc9", "name": "AWS CloudTrail EC2 Instance Connect SendSSHPublicKey", "effort": "advanced", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is pushing an SSH Public Key to an EC2 instance. Then he can establish a connection to the console using SSH.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d5d523cb-05bd-4bf7-9e6b-e4413ab89092", "name": "Microsoft Entra ID (Azure AD) Malicious IP", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "3cbd3a26-4def-44be-8455-3e18ef67f94c", "name": "Okta Security Threat Configuration Updated", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when the threat configuration has been updated in Okta.", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["Okta"]}, {"uuid": "77f20fb0-a7be-480b-a6ae-f8a4cc670de4", "name": "Okta Admin Privilege Granted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Administrator privilege granted to an user or account. This can be privilege escalation, persistance over system or account takedown.", "attack": ["privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Okta"]}, {"uuid": "875464a7-7b47-4d83-83a8-ca589aa347e1", "name": "Cloudflare HTTP Requests Rule Block Or Drop", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detects when one of Cloudflare Web Application Firewall (WAF) Managed rule blocked or dropped an HTTP request. It requires only Cloudflare HTTP requests logs.", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Cloudflare HTTP requests"]}, {"uuid": "702d6b88-fc80-41dd-93f2-b67d61b72479", "name": "Google Workspace Password Change", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a password is changed. An attacker can perform this action to impact the availability of the account.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "18860017-fdfa-4a94-b913-ffa6d339bcb7", "name": "Login Brute-Force Successful On Jumpcloud Portal", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Jumpcloud Portal and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Palo Alto NGFW", "Rubycat PROVE IT", "CyberArk Digital Vault", "Palo Alto Prisma access", "F5 BIG-IP", "Cisco IOS router and switch", "Elastic Winlogbeat"]}, {"uuid": "cb776388-c301-4f77-94af-865dc4d7cd5c", "name": "Microsoft Entra ID (Azure AD) Domain Trust Modification", "effort": "elementary", "data_sources": ["Azure activity logs"], "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Confirm the added or modified target domain/URL is legitimate administrator behavior.", "attack": ["privilege-escalation - Trust Modification (T1484.002)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "d7374e7c-1faa-4327-bad3-78a27064839d", "name": "Okta Security Threat Detected", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when a security threat is detected in Okta.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Okta"]}, {"uuid": "3f3a9bc0-ef29-431e-8a40-40e7d857cb21", "name": "Okta User Logged In Multiple Applications", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events on multiple application.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": ["Okta"]}, {"uuid": "0eedbee0-5344-4c0f-b25e-a49adab99b90", "name": "AWS CloudTrail IAM DeleteOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the deletion of an IAM entity to describe an identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b5467da4-ffa0-4d84-bd8e-08af48b8779d", "name": "Okta Access To Admin Console Denied", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when an attempt was made to access the Okta Admin Console from an interactive user account but failed.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "84ef2ee8-0412-4838-a312-e1cfed34ed12", "name": "Microsoft 365 (Office 365) AtpDetection", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when an AtpDetection (Advanced Threat Protection) event from the Office365 ThreatIntelligence service is raised. AtpDetection is a service which secures emails, attachments, and files by scanning them for threats.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "5ffbb915-52ac-4c92-a3ff-9d59948bf2e8", "name": "Okta User Account Created", "effort": "master", "data_sources": ["Authentication logs"], "description": "A user account has been created in Okta.", "attack": ["persistence - Create Account (T1136)"], "intake-formats": ["Okta"]}, {"uuid": "9de0e071-91ef-45ee-a895-1b833858aca3", "name": "Microsoft 365 (Office 365) Mass Download By A Single User", "effort": "master", "data_sources": ["Anti-virus"], "description": "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "73e69718-5a18-4f56-9544-3d21f26ee7aa", "name": "Microsoft Entra ID (Azure AD) Device Code Authentication", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Authentication via a device code is designed for use with input constrained devices. This method can however be abused, particularly in social engineering attacks. Whitelisting based on the organisation's practices is likely required to make this rule useful (e.g. excluding the public IP ranges of the organisation, excluding authentications attempt from managed devices, etc.)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "4451d02e-deba-4af4-9aee-d92e0379d3f3", "name": "Entra ID Consent Attempt to Suspicious OAuth Application", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects an attempt to authorize account access to an OAuth application commonly used in business email compromise (BEC) attacks. Investigate the source IP address: unusual countries, RDP hosts and VPN providers are likely indicators of malicious activity.", "attack": ["collection - Remote Email Collection (T1114.002)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "9ea55509-05c5-4af8-9a63-5385a0bfb1db", "name": "Okta MFA Bypass Attempt", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A bypass of MFA may have been attempted.", "attack": ["credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Okta"]}, {"uuid": "d9667cd2-8240-4d26-a02a-56adb37bc6bc", "name": "Microsoft 365 (Office 365) Malware Filter Rule Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a malware filter rule has been deleted in Microsoft 365 (Office 365). The malware filter rule specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "5db515e3-5da7-4c9d-897f-947bcd3ae3f3", "name": "Microsoft 365 (Office 365) MCAS Repeated Failed Login", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies a large number of failed login attempts which may indicate a brute-force attempt. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "6ab7c366-eb70-4011-8bfa-79ce3b5c2927", "name": "Google Workspace Anomaly File Downloads", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a large number of file downloads.", "attack": ["execution - User Execution (T1204)"], "intake-formats": []}, {"uuid": "29dc52b3-a88f-4766-9fe3-89aa51cde3ce", "name": "Google Cloud Audit Logs Application Authorized", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an application is authorized to access a Google user account. An exception is currently made for GMAIL because of the large number of hits.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": []}, {"uuid": "e2afe5f0-8c01-4ce0-b466-a70362804d50", "name": "Okta Policy Modified or Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when an Okta policy is modified or deleted.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Okta"]}, {"uuid": "a99acd2f-7c95-4498-a8d3-320fded09943", "name": "Okta User Account Deactivated", "effort": "master", "data_sources": ["Authentication logs"], "description": "A user account has been deactivated in Okta.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Okta"]}, {"uuid": "86baf707-115c-4b61-8f57-726a67020108", "name": "Zscaler ZIA Malicious Threat Outbreak", "effort": "master", "data_sources": ["Web proxy"], "description": "Spots a peak of malicious threat detection by Zscaler ZIA", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "bb232ace-139a-43f9-9b5d-f54102b8ae2e", "name": "Microsoft Entra ID (Azure AD) Abnormal Token", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "d64cf1a5-efa4-4780-998f-e475b307bedc", "name": "Microsoft 365 Sign-in With No User Agent", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "29d25794-e7e3-4988-87a7-7918ce3c4dbb", "name": "AWS CloudTrail GuardDuty Detector Deleted", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when an attacker is trying to evade defenses by deleting a GuardDuty detector", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "511df255-fb1a-4a91-bf21-0a39fe99005f", "name": "Varonis Massive Dowloads By A Single User", "effort": "master", "data_sources": ["File monitoring"], "description": "This rule identifies a high number of File dowloaded by a single user.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Varonis Data Security"]}, {"uuid": "22da2125-5aa7-4739-a247-2ec8626240d0", "name": "AWS CloudTrail S3 Bucket Replication", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects a replication rule being enable for a given S3 bucket: it could provide an attacker a way to exfiltrate data.", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "e290a62a-814b-4377-82b8-c037d46bb36a", "name": "Microsoft 365 (Office 365) MCAS Inbox Hiding", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a suspicious inbox rule was set on a user\u2019s inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "bb894761-3c10-4372-a619-8fdac09d0411", "name": "Microsoft Entra ID (Azure AD) Suspicious Browser", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies suspicious sign-in activity across multiple tenants from different countries in the same browser. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "266b87e8-7a09-43f2-8e79-c7139c7a0a0e", "name": "AWS CloudTrail Route 53 Domain Transfer Attempt", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a request in success or failure is made to transfer a domain name to an other AWS account", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9d2ed8be-c714-4604-93ba-0f13a30ff35b", "name": "Google Workspace User Deletion", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an user is deleted.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "cf0ba775-0ba7-400e-ab8b-981e78adf139", "name": "Google Workspace Login Brute-Force", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a user failed to login multiple times before a successful login.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "6e2dd2d4-f602-4a29-af5f-75e7e98c6131", "name": "Microsoft 365 (Office 365) Unusual Volume Of File Deletion", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies that a user has deleted an unusually large volume of files.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "b9bfdaa1-1e39-40d2-8a2e-b5813875b79d", "name": "AWS CloudTrail GuardDuty Detector Suspended", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects the suspension of the GuardDuty service", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "34b7a40b-3440-4c15-ad69-7e9c80a92f60", "name": "Okta Blacklist Manipulations", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detects when some manipulation are done in blacklist configurations.", "attack": ["stealth - Impair Defenses (T1562)"], "intake-formats": ["Okta"]}, {"uuid": "ee8d9e10-b168-44d4-a14b-38ee5fcee560", "name": "Microsoft 365 Email Forwarding To Email Address With Rare TLD", "effort": "intermediate", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (less common top-level domain).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "69faf034-e2ee-4c2b-94c9-4af5e3b110e8", "name": "Microsoft 365 Security and Compliance Center High Severity Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "A security or compliance-related alert of high severity was raised, based on the policies of the tenant. This rule can be very noisy depending on the configuration of the tenant. Alert filters are likely required. In addition, most alerts don't include any context, and are only useful if the analysts have access to the Microsoft portals to investigate.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "ce6c23a6-bbf0-4983-bbd4-b0f741f00c59", "name": "Login Brute-Force Successful On AzureAD From Single IP Address", "effort": "advanced", "data_sources": ["Azure activity logs", "Authentication logs"], "description": "A user has attempted to login several times (brute-force) on AzureAD and succeeded to login, all from the same source IP address and in a timerange of 5 minutes.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "b22b2c38-9cad-45d6-9b56-d3ad3afda6af", "name": "Google Cloud Audit Logs Custom Gmail Route", "effort": "advanced", "data_sources": ["GCP audit logs"], "description": "Detects when a custom Gmail route is added or modified. This could be abused by attackers to exfiltrate data.", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": []}, {"uuid": "9fe79727-64ab-46a6-983a-97ef473bca82", "name": "Cloudflare WAF Correlation Alerts", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Detection of multiple alerts (more than 5) triggered by the same source by Cloudflare detection rules", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Cloudflare HTTP requests"]}, {"uuid": "9208ad44-5f90-4008-8df2-4aec7754ea9d", "name": "AWS CloudTrail EC2 VM Export Failure", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects attempt to export an AWS EC2 instance. A VM Export might indicate an attempt to extract information from an instance.", "attack": ["collection - Data from Local System (T1005)", "exfiltration - Transfer Data to Cloud Account (T1537)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "e58b7fb4-0468-4852-8ad7-e69a63cc45f7", "name": "Okta Network Zone Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "attack": ["stealth - Disable or Modify Cloud Firewall (T1562.007)"], "intake-formats": ["Okta"]}, {"uuid": "a19df6fa-768e-449d-a97e-41d137ad0a38", "name": "AWS CloudTrail EC2 Subnet Deleted", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is destroying an EC2 subnet.", "attack": ["defense-impairment - Delete Cloud Instance (T1578.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "7be9115f-bbd6-40f3-8d5f-b9ecce23ea1e", "name": "AWS CloudTrail EC2 Enable Serial Console Access", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when the EC2 serial console access feature is enabled. This could abused by some attackers to avoid network detection when accessing to EC2 instances.", "attack": ["lateral-movement - Cloud Services (T1021.007)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "cfaf562f-d035-4616-8907-38689e7a709c", "name": "Microsoft 365 Authenticated Activity From Tor IP Address", "effort": "advanced", "data_sources": ["Office 365 audit logs"], "description": "Detects authenticated Microsoft 365 activity from an IP address associated with Tor.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "4e45660e-25f2-4aeb-98f0-0cd50753931c", "name": "Google Workspace External Sharing", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects a large number of external sharing.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "386e570d-ef94-4f9b-9e60-37c9d4915bbe", "name": "Okta Suspicious Activity Reported", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "23aa0dcf-8071-4038-8817-303bd5590a7a", "name": "Okta MFA Disabled", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A MFA has beed disabled in Okta SSO. This is a common behavior to gain permanent access over a system.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Okta"]}, {"uuid": "0ebfdb60-3eba-4f2b-9509-3cec58b1d4fa", "name": "GitHub Dependabot Or Vulnerability Alerts Disabled", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects dependabot or vulnerability alerts being disabled. Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "07936b58-87bc-44f6-9d3f-028c54e3e565", "name": "Microsoft Defender for Office 365 High Severity AIR Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a High severity alert triggers an automated investigation, such as when a potentially malicious URL click was detected, or when a user is restricted from sending email.", "attack": ["resource-development - Compromise Accounts (T1586)", "resource-development - Email Accounts (T1586.002)", "initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "c1aaf00e-1f68-4835-85c2-6a5b3d495235", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (CEPHAS 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit CEPHAS 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD"]}, {"uuid": "62468573-5611-423a-b28e-56f55b0e948c", "name": "Login Brute-Force Successful On Okta", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on Okta and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Okta"]}, {"uuid": "f4b3a101-337d-4e6f-8531-07a41fd2c97f", "name": "Okta User Impersonation Access", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "attack": ["privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Okta"]}, {"uuid": "8bd976c0-55c0-41d9-86f3-864c5f9ff48b", "name": "Microsoft Entra ID (Azure AD) Leaked Credentials", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies that the user's valid credentials have been leaked. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "b87c67e0-7896-4264-a1ba-ffbbb398706c", "name": "AWS CloudTrail RDS Public DB Restore", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "File monitoring"], "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "10df500b-714a-469b-810a-76bdc0da5f5e", "name": "Bitsight SPM Material Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a material vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "663ba461-95cd-40a4-be49-f1a7d7776314", "name": "Microsoft Defender for Office 365 Medium Severity AIR Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Medium severity alert triggers an automated investigation, such as when suspicious email sending patterns are detected from an account.", "attack": ["resource-development - Compromise Accounts (T1586)", "resource-development - Email Accounts (T1586.002)", "initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "3da65917-8be8-45e4-864a-e7e91ab00c0a", "name": "Google Workspace Admin Modification", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is modified.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "705e7488-60a2-4613-b398-d546fa64528e", "name": "Microsoft 365 (Office 365) Malware Uploaded On OneDrive", "effort": "intermediate", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft 365 (Office 365) identifies a malicious file uploaded to OneDrive. Attackers can use this method to propagate through the network.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "b9a68264-9edf-4afc-afae-1b90542b92f3", "name": "AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when a Client ID is removed from an identity provider that supports OpenID Connect. Could be used by attackers for sabotage or to cover their tracks.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "f1d1d368-fed5-4e97-94e9-862bdb3d38c3", "name": "AWS CloudTrail RDS DB Cluster/Instance Deleted", "effort": "advanced", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects when an attacker is destroying a RDS Cluster or Instance", "attack": ["impact - Data Destruction (T1485)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "ffa18f6e-b7ea-46c3-807d-ccc2b94867cc", "name": "Google Workspace Admin Deletion", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is deleted or when his role is unassigned.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "dc901edb-447c-4433-a651-6f4225c3c735", "name": "Password Reset Error Brute-Force On AzureAD", "effort": "intermediate", "data_sources": ["Authentication logs", "Azure activity logs"], "description": "A reset of password has failed on Azure Active Directory, 5 times within the same entity.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "e98a6afe-ac53-4d8f-b06e-8ae8c7d2d38b", "name": "Google Workspace Domain Delegation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when a domain delegation is granted.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "06965b3c-4456-4a70-8d2a-1acf231fd9f2", "name": "Correlation Jumpcloud User Logged In From Multiple Countries", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "Detection of login events from multiple countries on Jumpcloud portal.", "attack": ["resource-development - Compromise Accounts (T1586)"], "intake-formats": []}, {"uuid": "447316a3-4614-4f2a-97b7-556c9ccfc076", "name": "Microsoft 365 Email Forwarding To Privacy Email Address", "effort": "elementary", "data_sources": ["Office 365 audit logs"], "description": "An email forwarding rule was created, that automatically forwards incoming emails to an address outside of the organization (most common privacy email services).", "attack": ["collection - Email Forwarding Rule (T1114.003)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "ee7abe17-1a27-4ebc-bc81-e5cbc64652ab", "name": "Microsoft 365 (Office 365) DLP Policy Removed", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a DLP (Data Loss Prevention) policy is removed in Microsoft 365 (Office 365). DLP policies defines which resources can be shared and with whom, preventing sensitive information from being leaked.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "fa830da5-3fe9-4fa7-8548-5a916346cf65", "name": "Zscaler ZIA Suspicious Threat Outbreak", "effort": "master", "data_sources": ["Web proxy"], "description": "Spots a peak of malicious threat detection by Zscaler ZIA", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "8dc3c9ab-51d8-4ce9-8771-4007db09c8e6", "name": "Microsoft 365 Security and Compliance Center Medium Severity Alert", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "A security or compliance-related alert of medium severity was raised, based on the policies of the tenant. This rule can be very noisy depending on the configuration of the tenant. Alert filters are likely required. In addition, most alerts don't include any context, and are only useful if the analysts have access to the Microsoft portals to investigate.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "0d1e16c5-1dc0-4241-bc0a-c5e0b0414d96", "name": "AWS CloudTrail RDS Change Master Password", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "File monitoring"], "description": "Detects the change of database master password. It may be a part of data exfiltration.", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "4fa216ac-0b38-4bea-b503-bb2f78afa2ce", "name": "GitHub New Organization Member", "effort": "advanced", "data_sources": ["Application logs"], "description": "Detects when a member is added or invited to a GitHub organization.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Github Audit logs"]}, {"uuid": "9a48acdb-54c9-4f84-8f71-499b58c3ebbe", "name": "Google Workspace Admin Creation", "effort": "master", "data_sources": ["GCP audit logs"], "description": "Detects when an admin is created or when his role is changed.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "581e649b-e4b0-4e2a-8264-387049500920", "name": "Okta Unauthorized Access to App", "effort": "master", "data_sources": ["Authentication logs"], "description": "An user tries to access an unauthorized application.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "04e1345a-e0f1-4c53-8af7-54a128affa52", "name": "AWS CloudTrail GuardDuty Disruption", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "d401eccc-9508-4eb5-9539-c2f9f366ac63", "name": "AWS CloudTrail IAM CreateSAMLProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an IAM user creates a SAML provider, which could allow third-party connection and therefore could be used by attackers.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "b61c9834-b0eb-424e-b3a9-0653872df4d9", "name": "Microsoft Entra ID (Azure AD) MFA Method Change", "effort": "master", "data_sources": ["Azure activity logs"], "description": "This rule detects when an user makes a change to the multifactor authentication methods for their account. In environments where this rule is too noisy, alert filters should be applied, e.g. to focus on privileged accounts, or unusual source network locations.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "075aee9c-4dfe-4577-a75a-85dacd7f5703", "name": "Okta Policy Rule Modified or Deleted", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects when an Okta Policy Rule is Modified or Deleted.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Okta"]}, {"uuid": "d01267c2-3c32-4c7a-a6aa-52e3c3d7008d", "name": "Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically", "effort": "master", "data_sources": ["Office 365 audit logs"], "description": "Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a Low or Informational severity alert triggered an automated investigation, and remediation was conducted automatically. Low and Informational alerts include when an email is reported by a user, or when a malicious email is removed after delivery.", "attack": ["initial-access - Phishing (T1566)", "initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "defed353-d2e8-4171-9abb-bb43f84e59c5", "name": "Google Cloud Audit Logs 2FA Disabled", "effort": "intermediate", "data_sources": ["GCP audit logs"], "description": "Detects when Google Cloud Audit Logs notify the 2FA deactivation for a user account.", "attack": ["credential-access - Unsecured Credentials (T1552)"], "intake-formats": []}, {"uuid": "e5a9528e-bd74-4f78-88a2-f24786c428db", "name": "AWS CloudTrail EventBridge Rule Disabled Or Deleted", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Detects when an attacker is trying to evade defenses by deleting or disabling EventBridge rules", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "6bcb7467-becb-4c45-b243-dad5aac5d550", "name": "Okta Many Passwords Reset Attempt", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "This rule identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Okta"]}, {"uuid": "5981c962-760b-474d-814a-d7197a43bbe5", "name": "SecurityScorecard Vulnerability Assessment Scanner New Issues", "effort": "master", "data_sources": ["Application logs"], "description": "Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["SecurityScorecard Vulnerability Assessment Scanner"]}, {"uuid": "f177e556-ca5a-4953-a4d6-a2fc75054603", "name": "Okta API Token revoked", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "A new API Token has been deleted on Okta SSO.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Okta"]}, {"uuid": "25956d53-480b-4e05-9ec3-5389a5bd5bb4", "name": "RSA SecurID Failed Authentification", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Detects many failed attempts to authenticate followed by a successfull login for a super admin account.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["RSA SecurID"]}, {"uuid": "9d1f1412-5b8c-4744-910f-51ca727ad68f", "name": "Google Workspace Account Warning", "effort": "elementary", "data_sources": ["GCP audit logs"], "description": "Detects a suspicious login, leaked password, or account disabled following suspicious activity.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Google Workspace / ChromeOS"]}, {"uuid": "110ae745-e4df-4b5c-87e8-e330efebc69e", "name": "Jumpcloud Account Locked", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A user has been locked on Jumpcloud portal.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "ec9a2626-beca-42c9-bca7-0921ae3f56cc", "name": "AWS CloudTrail Root ConsoleLogin", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects a login with a root account on AWS portal. It is a best practice to avoid root account usage for daily tasks and to create an IAM admin user.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "3b13033b-908b-4ee9-8560-09414dcff952", "name": "AWS CloudTrail EC2 Startup Script Changed", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.", "attack": ["execution - PowerShell (T1059.001)", "execution - Windows Command Shell (T1059.003)", "execution - Unix Shell (T1059.004)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "040ec2b1-b41b-4dfc-a9fc-d71fd90cd30c", "name": "Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects the implementation of a MailBoxAuditBypassAssociation option in Microsoft 365 (Office 365). This option is used when you configure a user or computer account to bypass mailbox audit logging, access or actions taken by the user or computer account to any mailbox isn't logged.", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "da823e97-7f85-4133-b780-363934fba799", "name": "Okta User Account Locked", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "An user has been locked in Okta.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Okta"]}, {"uuid": "dfea5bf5-9c18-4064-af93-840ec8dbd1e0", "name": "Jumpcloud Api Key Updated", "effort": "advanced", "data_sources": ["Access tokens", "Authentication logs"], "description": "An API Token has been updated on Jumplcoud portal.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Jumpcloud Directory Insights"]}, {"uuid": "a00512d4-0e9f-43ee-bef9-05d327d8632d", "name": "Microsoft 365 (Office 365) MCAS Risky IP", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when Microsoft Cloud App Security identifies sign-ins from a risky IP address, for example, using an anonymous browser or VPN. To use this feature, you must have an Microsoft 365 (Office 365) E5 license (https://docs.microsoft.com/en-us/defender-cloud-apps/get-started?culture=fr-fr&country=FR).", "attack": ["execution - User Execution (T1204)", "initial-access - Phishing (T1566)"], "intake-formats": ["Microsoft 365 / Office 365"]}, {"uuid": "91e35f85-ca28-4024-b543-50ca5bf4f6af", "name": "AWS Suspicious Discovery Commands", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Attackers often use discovery commands such as DescribeInstances or DescribeSecurityGroups, and many others, to find how an AWS tenant is configured.", "attack": ["discovery - Cloud Infrastructure Discovery (T1580)", "discovery - Cloud Service Discovery (T1526)", "discovery - Cloud Storage Object Discovery (T1619)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "3f839059-676f-41c9-9297-aa8ec3670841", "name": "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)", "effort": "elementary", "data_sources": ["Office 365 audit logs", "Azure activity logs"], "description": "Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Microsoft 365 / Office 365", "Microsoft Entra ID / Azure AD", "GraphAPI for Microsoft Entra ID / Azure AD"]}, {"uuid": "d7d45cd6-c4f5-4e7b-ae75-f3f785092131", "name": "Microsoft Entra ID (Azure AD) Unfamiliar Features", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies sign-ins with characteristics that deviate from past sign-in properties. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "28f31550-2834-4afe-a432-688f3fd4d9e5", "name": "AWS CloudTrail IAM Password Policy Updated", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects an update to the password policy. This could be an attempt to lower accounts security level.", "attack": ["defense-impairment - Modify Cloud Compute Infrastructure (T1578)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "83e4edae-4c8a-47fb-8f74-9087b889e5a9", "name": "AWS CloudTrail Config Disable Channel/Recorder", "effort": "elementary", "data_sources": ["AWS CloudTrail logs", "Services"], "description": "Detects AWS Config Service disabling channel or recorder", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "9952002d-2042-4ef7-b8c5-42c9b55e184b", "name": "AWS CloudTrail IAM CreateOpenIDConnectProvider", "effort": "intermediate", "data_sources": ["AWS CloudTrail logs"], "description": "Detects the creation of an IAM entity to describe an identity provider that supports OpenID Connect.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "06e7bdb0-4bc2-409e-9165-9513f14ce1e6", "name": "Suspicious Activity Using Quick Assist", "effort": "elementary", "data_sources": ["Office 365 account logs"], "description": "Detects when a chat is created (abusing Quick Assist feature) with a user external to the domain, which has been observed as a some phishing attemp by ransomware groups.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": []}, {"uuid": "f99d848e-cb4c-4276-bcb7-521064bc69f8", "name": "Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "16113193-d20e-4e77-a70f-8731444641dc", "name": "Microsoft Entra ID (Azure AD) Impossible Travel", "effort": "master", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "dfaadb61-a377-49df-a6bc-51e7b6c8bf86", "name": "Microsoft Entra ID (Azure AD) Suspicious IP", "effort": "intermediate", "data_sources": ["Azure activity logs"], "description": "Detects when Microsoft Entra ID (Azure AD) identifies a suspicious IP address. An IP address is considered suspicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. To use this feature, you must have an Microsoft Entra ID (Azure AD) Premium P2 license (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["Microsoft Entra ID / Azure AD"]}, {"uuid": "f26c7221-b6e8-4c3b-8b35-2aabab97445a", "name": "AWS Persistence By Creating KeyPair And SecurityGroup", "effort": "master", "data_sources": ["AWS CloudTrail logs"], "description": "Attackers can use AWS credentials to create a KeyPair and a SecurityGroup to have continuous access to the AWS account.", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["AWS CloudTrail"]}, {"uuid": "f5485133-ff25-4d25-aef8-6e9d797e4ea2", "name": "Bitsight SPM Severe Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Bitsight SPM has raised a severe vulnerability finding", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Bitsight SPM"]}, {"uuid": "5f1bb380-00f3-498c-9ce0-8b9a4e667e4a", "name": "Sekoia.io Endpoint Agent Inactivity", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects multiple hostnames with inactived Sekoia.io Endpoint Agent for at least one hour.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": []}, {"uuid": "9ca720e3-028b-430f-9311-1985c9a9c719", "name": "Sekoia.io Endpoint Agent Stopped", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects when the Sekoia.io Endpoint Agent is stopped. This could be an attacker impairing defenses to evade detection.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": []}, {"uuid": "070fbb0f-6821-46d2-b42a-84f82777d3bf", "name": "Login Brute-Force Successful On SentinelOne EDR Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Palo Alto NGFW", "AWS CloudTrail", "Fortinet FortiProxy", "Microsoft Entra ID / Azure AD", "Microsoft Intune", "Azure Database for MySQL", "WithSecure Elements", "Palo Alto Prisma access", "Postfix", "SentinelOne EDR", "Cisco Umbrella DNS", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Azure Windows", "Windows", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "b7a2b0c8-cc8f-4f4a-948c-199ad4833176", "name": "Login Failed Brute-Force On SentinelOne EDR Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and failed every time.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "0a265021-eaf4-4721-b828-6c58ac5ee6ad", "name": "Sekoia.io Endpoint Agent Uninstalled", "effort": "advanced", "data_sources": ["Network device logs"], "description": "Detects when the Sekoia.io Endpoint Agent is uninstalled. This could be an attacker impairing the defenses.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Sekoia.io Endpoint Agent"]}, {"uuid": "1185d763-c341-4cf8-af9f-8475acb8c331", "name": "Sysmon Windows File Block Executable", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "Sysmon has blocked an executable file from being written to the disk. This could be a malicious binary to investigate.  ", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Elastic Winlogbeat", "WithSecure Elements", "Stormshield SES", "Azure Windows", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "cef8d6f5-2b8f-4335-b05f-b854d1884ff6", "name": "Cybereason EDR Malware Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Cybereason EDR telemetry has detected a malware", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Cybereason EDR"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)", "command-and-control - Application Layer Protocol (T1071)", "initial-access - Phishing (T1566)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Ubika Cloud Protector Next Generation Alerts", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "WatchGuard Firebox", "Microsoft Always On VPN", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Juniper Networks Switches", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Cisco Umbrella IP", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "LockSelf LockPass/LockTransfer/LockFiles", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Vectra Cognito Detect"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Retarus Email Security", "Cisco NX-OS", "Cloudflare Gateway HTTP", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Hornetsecurity 365 Total Protection", "AWS GuardDuty", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Sophos Analysis Threat Center", "Juniper NGFW", "F5 NGINX", "Ivanti / Pulse Connect Secure", "WALLIX Bastion", "SonicWall Firewall", "Palo Alto NGFW", "Cloudflare WAF events", "PingFederate", "Trend Micro Apex One / Vision One endpoint", "Zscaler Internet Access", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Cloudflare Gateway Network", "F5 BIG-IP", "Fortinet FortiGate", "Cato Networks SASE", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Fortinet FortiMail", "HAProxy", "Windows", "SentinelOne Singularity Identity", "ArubaOS Switch", "One Identity SPS", "Vade Cloud", "OGO WAF", "Delinea PRA", "Sophos Firewall", "WatchGuard Firebox", "VMware ESXi", "CrowdStrike Falcon", "AWS WAF", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Postfix", "AWS CloudFront", "Azure Windows", "Vectra Cognito Detect", "Check Point NGFW", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "37b6614b-6d80-4a3f-a24d-afb751e891ea", "name": "SEKOIA.IO Intelligence Feed", "effort": null, "data_sources": [], "description": "Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "RSA SecurID", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Delinea PRA", "WatchGuard Firebox", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Seckiot Citadelle", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Juniper Networks Switches", "Claroty xDome", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Cisco Umbrella IP", "Nanocorp [BETA]", "Stormshield SNS", "F5 BIG-IP", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Varonis Data Security", "Sophos Firewall", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Netskope", "Broadcom Edge Secure Web Gateway", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "WithSecure Elements", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "OpenBSD Packet Filter / OPNSense / PfSense", "Jizo AI / Sesame it NDR", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Windows", "NucleonEDR", "Nozomi Vantage", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Barracuda CloudGen Firewall", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "ISC DHCP", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Vectra Cognito Detect"]}, {"uuid": "06ff5006-6e40-411e-8b44-cdbae6972657", "name": "CrowdStrike Falcon Intrusion Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with critical severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "296d4a04-b489-400a-bae2-371fb6043f7f", "name": "Microsoft Defender XDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "361f9c26-c095-480b-8f12-17a9ca2daf8b", "name": "Daspren Parad Malicious Behavior", "effort": "master", "data_sources": ["Data loss prevention"], "description": "Detects when Daspren Parad kills a process with a malicious behavior.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Daspren Parad"]}, {"uuid": "c0fae1bb-25a2-4323-973b-d123208f76e6", "name": "CrowdStrike Falcon Intrusion Detection High Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with high severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "b3ad008e-410b-47ba-881d-8fffe25e5bbb", "name": "Tenable Identity Exposure / Alsid Critical Severity Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Tenable Identity Exposure / Alsid raised a critical severity alert.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Tenable Identity Exposure / Alsid"]}, {"uuid": "b7ef8686-1bef-4733-82c1-211a886f2259", "name": "HarfangLab EDR Low Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a low level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "70bccd47-1a34-4f9d-9929-8efdc0dbc7ce", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of medium severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "2080b31b-f7cf-4904-ad1e-9f135e3fc533", "name": "Gatewatcher AionIQ V103 Dga Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when an event related to dga is raised by gatewatcher. An attacker can use this to generate a new domain for C2.", "attack": ["command-and-control - Domain Generation Algorithms (T1568.002)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "889ab345-93fe-4779-87ad-bd11ae03204d", "name": "HarfangLab EDR Low Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a low level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "3a9ff07f-1403-4545-b68c-1f226621388c", "name": "Vectra General Threat Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Vectra Cognito detected a potential threat. This is a very generic rule to raise as much alerts as possible from Vectra detections however RECONNAISSANCE and INFO categories have been removed to avoid spamming.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Vectra Cognito Detect"]}, {"uuid": "44ed63ea-827e-436c-82b4-d63c9abda5cd", "name": "Microsoft Defender XDR Endpoint Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Defender for Endpoint. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "dde1a236-8f21-4a25-aa7c-5d239463d55c", "name": "CrowdStrike Falcon Intrusion Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with low severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "9470d781-37eb-49f7-b994-e8cabed86c8e", "name": "AWS GuardDuty Medium Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a medium severity level. A Medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "df0deb9e-8ba3-483c-adad-c46e7df022b9", "name": "CrowdStrike Falcon Intrusion Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with informational severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "2ac96bd4-0614-4096-9f77-38657028c860", "name": "HarfangLab EDR High Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a high level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "2e3e20b0-0f19-4536-9df2-6e89cb96bf91", "name": "Sophos EDR Application Detected", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially malicious application.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "5895e296-e6ea-4417-9c19-ef8b448d8643", "name": "Trend Micro Apex One Data Loss Prevention Alert", "effort": "master", "data_sources": ["Data loss prevention"], "description": "Trend Micro Apex One has raised an alert for data loss prevention.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "04874680-3e68-48f8-83a0-28bcb7b970e2", "name": "CrowdStrike Falcon Identity Protection Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with low severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "3e36a6e5-1859-48f9-8179-68449f0ea106", "name": "SentinelOne EDR Threat Mitigation Report Quarantine Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected and quarantined a threat with success, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "0473dde6-b47e-4ffa-98ec-6369fee4a841", "name": "Claroty xDome Network Threat Detection Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Claroty xDome has raised an network threat detection alert.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Claroty xDome"]}, {"uuid": "fdd8add0-5b6b-4474-94ab-cceb33f271fd", "name": "Trend Micro Vision One Workbench high Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a high alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "db3bdb5e-f409-4190-8b8c-6a0a9e1ee2f2", "name": "SentinelOne EDR Threat Detected (Malicious)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a high confidence level (malicious).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "30d06740-9e6f-4557-9b71-0ddf6d88e4ae", "name": "HarfangLab EDR Suspicious Process Behavior Has Been Detected", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has detected a suspicious process behavior based on its detection rule. Check the rule name and description for more information.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "2ccba683-f116-439e-81d5-204a7e374c7d", "name": "Netskope Admin Audit High Severity", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Audit events detection for admin activites that differ from authentications, with high severity level according to Netskope.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "3086c43f-4987-4fdd-8f4e-f93a4e2d7396", "name": "Suricata Attempted Administrator Privilege Gain High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Attempted Administrator Privilege Gain category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "20f8da14-4a53-41a2-badd-dadb57d753fc", "name": "Trend Micro Vision One Workbench Low Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a low alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "55a63b5c-a12b-4e45-abee-1933c31d1c94", "name": "Netskope DLP Alert", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects DLP alerts which are not allowed.  ", "attack": ["collection - Data from Cloud Storage (T1530)", "discovery - File and Directory Discovery (T1083)"], "intake-formats": ["Netskope"]}, {"uuid": "49655b5c-56a9-43b2-8133-71a8bcf4686e", "name": "Varonis Data Security Intrusion Detection High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a high severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "cc0ae2f1-b9f6-4f6d-b2a8-e170e24bc45a", "name": "Gatewatcher AionIQ V103 Network Behavior Analytics", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when network behavior analytics were requested.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "9c122008-6d54-4242-8ada-484d534399f3", "name": "SentinelOne EDR User Logged In To The Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has logged in to the management console.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "ea2763ad-216b-4741-b89c-e81fa7e96459", "name": "CrowdStrike Falcon Identity Protection Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with informational severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "3965d9c0-627d-4d6f-923c-7c141c617c98", "name": "WithSecure Elements Warning Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when WithSecure Elements raised an event with a warning (and is not blocked or quarantined).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["WithSecure Elements"]}, {"uuid": "27e3c11d-b011-465a-81d2-0efe7888e925", "name": "HarfangLab EDR Critical Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a critical level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "37485dd1-3e35-44c4-8727-bd818717a1d8", "name": "TEHTRIS EDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Tehtris EDR telemetry has raised an alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["TEHTRIS EDR"]}, {"uuid": "8f725900-3745-41b3-b14f-a7532b8d02c8", "name": "Varonis Data Security Intrusion Detection Medium Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a medium severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "668589c8-594c-4c22-a6ab-6700b73c19f1", "name": "Cybereason EDR Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Cybereason EDR telemetry has raised an alert", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Cybereason EDR"]}, {"uuid": "257a26ef-dfc9-42ef-9841-f12705503601", "name": "Lacework Cloud Security Critical Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a critical alert severity is raised by Lacework. This severity level might indicates a suspicious change in configuration or policy violation.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "c52c8a90-0975-4549-8e24-85a68f98c29d", "name": "Gatewatcher AionIQ V103 Retrohunt", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a retrohunt event is raised by GatewatcherV103.", "attack": ["reconnaissance - Phishing for Information (T1598)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "8f9a8f4b-68d4-4a7a-847e-5e51de764a1f", "name": "Gatewatcher AionIQ Malware Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Forward malware information reported by Gatewatcher AionIQ  ", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ v102"]}, {"uuid": "bc59eba3-1b4f-4136-92ab-01830b96c492", "name": "SentinelOne EDR Threat Mitigation Report Kill Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected and killed a threat (usually kills the malicious process), defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "5ffe9ddd-6a9c-4eec-b379-cc59ce5d3987", "name": "Gatewatcher AionIQ V103 Malcore", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a malcore alert by Gatewatcher AionIQ V103 related to documents with passwords.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "a8825a11-51a0-46e0-81d5-10c05a2b75dd", "name": "Stormshield Ses Critical Not Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security detect threat with critical severity that was not blocked", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "e951e5a3-ea71-45e5-bb57-4a06d6a2f50a", "name": "CrowdStrike Falcon Intrusion Detection Informational Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with informational severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "4a092989-5fc2-4ec8-86ca-d32b8d5af5d3", "name": "SentinelOne EDR User Failed To Log In To The Management Console", "effort": "master", "data_sources": ["Anti-virus"], "description": "A user has failed to log in to the management console.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "15bdb80b-b9ec-4919-8bae-f744a5956c20", "name": "Suricata Exploit Kit Activity Detected High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Exploit Kit Activity Detected category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "a0056b11-b266-4788-a5b8-fedb83211d7b", "name": "HarfangLab EDR Medium Level Rule Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on a medium level rule (not using hlai engine)", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "942970ca-8d67-4730-b625-5370d4a3fcb2", "name": "Proofpoint TAP Email Classified As Phishing But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as phishing with a threat score greater than 50 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "3ac90d58-f204-40e3-9e0a-f012505dc33a", "name": "CrowdStrike Falcon Intrusion Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with medium severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "155e8e09-6a0f-496c-9e8f-5943a1a81f17", "name": "Fastly Next-Gen WAF Audit Threat Alert", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Forward a threat detection made by Fastly Next-Gen WAF Audit Logs", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Fastly Next-Gen WAF Audit Logs"]}, {"uuid": "3759e6d8-5aab-4091-aeda-4a92fe88d23d", "name": "Proofpoint TAP Email Classified As Spam But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as spam with a threat score greater than 50 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "9e7ba071-8750-451b-bc4f-e4d39d28225f", "name": "Trend Micro Cloud One Low Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a low severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "b58128b0-c3d5-4c6b-8e66-0f19c8e71980", "name": "Sophos EDR CorePUA Clean", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially unwanted application and cleaned it.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "9521deb9-569f-4be6-81ab-da01a381ff52", "name": "SentinelOne EDR Threat Mitigation Report Remediate Success", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has remediated a threat, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "d667150d-0358-46ea-8db7-467f35a513f6", "name": "Microsoft Defender XDR Entra ID Protection Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Entra ID Protection. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "4c5d2b6f-e27e-45e9-a687-451bb616ad85", "name": "WIZ Issues Critical Alert Raised", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when a critical alert from WIZ Issues is raised.", "attack": ["execution - Cloud Administration Command (T1651)"], "intake-formats": ["Wiz Issues"]}, {"uuid": "f8f8e12e-4b3d-4086-b10a-6358bc2a8af9", "name": "Trend Micro Vision One Workbench Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a medium alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "a6488637-6c14-457f-bef7-5af5174d513d", "name": "Microsoft Defender XDR Office 365 Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR for Office 365 has raised an alert. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "60a4ed42-3569-4be1-919a-5d3fb2a9b2d1", "name": "SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a malicious threat which has been mitigated preemptively, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "d63463ba-4ebb-491a-b35d-c405b032aeff", "name": "SentinelOne EDR Threat Detected (Suspicious)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a medium confidence level (suspicious).", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "93e51ed6-35f1-47e6-b5c9-c60d390beef3", "name": "SentinelOne EDR Custom Rule Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat related to a Custom Rule and raised an alert for it.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "50330470-e076-4741-a52a-1f19137c5412", "name": "Gatewatcher AionIQ V103 Malicious Powershell Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects malicious powershell by Gatewatcher V103.", "attack": ["exfiltration - Scheduled Transfer (T1029)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "63c88c6a-3370-400c-9699-43d1ae03746b", "name": "Trend Micro Vision One Workbench Critical Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Network intrusion detection system"], "description": "Detects when a critical alert severity is raised by Trend Micro Vision One Workbench.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "a7470e53-1159-4689-9b28-00347885d6d4", "name": "Netskope Malware Patient Zero Detected", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a malware as Patient Zero.", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "2fe195a8-bf16-4905-8cc3-74f2e8b80c76", "name": "HarfangLab EDR Process Execution Blocked (HL-AI engine)", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR's machine learning malware detection module (HL-AI) has detected a suspicious binary and blocked its execution. To know more on what caused this alert, you should check the value of the process name and the concerned computer and user.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "a080ed0e-e7db-4883-a84f-7afb9b8e9071", "name": "Lacework Cloud Security High Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a high alert severity is raised by Lacework. This severity level might indicates a suspicious change in configuration or policy violation.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "ee37d914-3e81-4f84-b59f-22e1d156e68e", "name": "Gatewatcher AionIQ V103 Beacon Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a suspicious beacon.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "01af42c2-e60e-4a38-9d0b-90bdb837535a", "name": "Darktrace Threat Visualizer Threat Suspicious Alert", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has raised a threat suspicious alert related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "27792193-4d81-4780-8a4f-51dc32d9e88a", "name": "Microsoft Defender XDR Data Loss Prevention Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Data Loss Prevention. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "009f3bcb-eb04-4082-b672-c7fdcf776156", "name": "Trend Micro Cloud One Medium Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a medium severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "c0f88b01-038d-4ac8-96bb-ef7183678111", "name": "Gatewatcher AionIQ V103 Shellcode Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a suspicious shellcode is used.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "d4c4bda6-ebac-4bc1-8f32-fd645f224921", "name": "Lacework Cloud Security Low Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a low alert severity is raised by Lacework. This severity level might indicates a change in configuration that could be malicious or not.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "234efc86-611d-48cd-bc01-57f1d5ee4fc5", "name": "Threat Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected a threat from an e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "059af0aa-b61b-4645-8b13-816cfcd7521e", "name": "Varonis Data Security Email High Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Varonis Data Security has raised a high severity alert related to a supervised email account.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "79ce2c85-5de3-4d55-8818-1b6e2793d8b8", "name": "CrowdStrike Falcon Identity Protection Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with medium severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "0b42a6f3-df0c-436e-9dc0-5e9f01c18076", "name": "Alert High Severity Sesame it Jizo NDR", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert raised by SesameIT.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Jizo AI / Sesame it NDR"]}, {"uuid": "f8f81a0e-2454-4d76-a6bb-185b671e4e38", "name": "HarfangLab EDR High Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a high level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e0a96f3e-cd28-4a62-aa05-9e4fdd2bacdd", "name": "Netskope Malware Detected", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a malware with a high severity (excluding Patient Zero here)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "fa963edb-a443-455c-87d8-adbeb801956c", "name": "SentinelOne EDR SSO User Added", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SSO User was added.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "e771572f-efe2-4baa-b60b-75be6f5f2b6a", "name": "Gatewatcher AionIQ Network Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Forward network alerts reported by Gatewatcher AionIQ  ", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ v102"]}, {"uuid": "438c4d73-45fd-43e6-94c7-1f3f9e6935df", "name": "Netskope Alerts Compliance", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Forward alerts reported by Netskope related to compliance issues.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Netskope"]}, {"uuid": "1ac11e22-50e8-49c0-8b9e-bb3de89c1e65", "name": "CrowdStrike Falcon Intrusion Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "d7c26641-31e7-4ff7-bcd5-6f76f07d6f05", "name": "WithSecure Elements Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "WithSecure Elements has several modules. One constant is the severity of a raised event, which can be critical and therefore interesting to look at.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["WithSecure Elements"]}, {"uuid": "4417dd6a-344c-41fe-96ce-4ee1e352221a", "name": "AWS GuardDuty Low Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a low severity level. A low severity level indicates attempted suspicious activity that did not compromise your network, for example, a port scan or a failed intrusion attempt.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "3518e350-e146-440d-8c81-517fa8d7037b", "name": "Trend Micro Apex One Intrusion Detection Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Trend Micro Apex One has raised an alert for an intrusion detection.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "0d300416-3108-4fb5-aa07-2b4d7b20a50d", "name": "Stormshield Ses Critical Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security block execution with critical severity", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "bb85d6f6-3391-481a-bafb-00fba96ab57e", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of low severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "c150a932-7307-4597-a232-3d94d48c3caf", "name": "Datadome Protection Intrusion Detection", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Datadome protection raises an alert linked to intrusion. Datadome is used against fraud and bots.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Datadome Protection"]}, {"uuid": "9fd6d5bf-b0e1-456e-aa1e-c1b6e8779255", "name": "Trend Micro Apex One Malware Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Trend Micro Apex One has detected a malware.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "0d3d2d64-bdd0-404f-bcf0-3b90773fb500", "name": "Varonis Data Security Network Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a medium severity alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "fb1ac826-4fe5-44bc-a007-a6b7dd83c955", "name": "HarfangLab EDR Medium Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a medium level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "9b39f460-99e6-4f26-8605-e9a9c7ef9259", "name": "Varonis Data Security Network High Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a high severity  alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "01bf03f8-24a7-420a-b677-ab90a76cc467", "name": "Stormshield Ses Emergency Block", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Stormshield Endpoint Security block execution with emergency severity", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Stormshield SES"]}, {"uuid": "49ba54f8-0577-4c38-916d-71507dd3cef0", "name": "Bitdefender GravityZone Endpoint Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Bitdefender GravityZone detected a malicious activity on an endpoint", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Bitdefender GravityZone"]}, {"uuid": "96df58e3-2292-4404-bb81-628a4e2e6964", "name": "Broadcom/Symantec Endpoint Security Event Cleaned", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had cleaned action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "8f3a7413-4778-47e5-9381-40aac270cd9c", "name": "CrowdStrike Falcon Mobile Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with high severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "59aca553-6076-42b2-8e00-9a7a0ecbf54e", "name": "CrowdStrike Falcon Intrusion Detection EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with the new EppDetectionSummaryEvent type.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "bec7b15d-ce83-4541-a6ae-b7f6b673fc2d", "name": "Netskope Web Isolation On Suspicious Domain", "effort": "master", "data_sources": ["Web application firewall logs", "Web logs", "Web proxy"], "description": "Netskope identified a suspicious domain and triggered web sandboxing (RBI)", "attack": ["initial-access - Cloud Accounts (T1078.004)"], "intake-formats": ["Netskope"]}, {"uuid": "ad1858b2-eaf4-473f-9748-80e7fa6933c8", "name": "HarfangLab EDR Hlai Engine Detection", "effort": "master", "data_sources": ["Process monitoring", "File monitoring", "Windows event logs"], "description": "HarfangLab EDR has raised an alert based on its hlai engine", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "4c19d1fc-802f-439e-9c09-b101ff9d453e", "name": "Suricata Web Application Attack High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a high severity alert triggered from Suricata Web Application Attack category.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Suricata"]}, {"uuid": "6cd5326c-c101-4a58-a8f4-5fce748a4f1e", "name": "Tenable Identity Exposure / Alsid High Severity Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Tenable Identity Exposure / Alsid raised an alert.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Tenable Identity Exposure / Alsid"]}, {"uuid": "cc263302-7773-46dc-b4ee-e493e5fb6cae", "name": "Gatewatcher AionIQ V103 Active CTI", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects whan an event related to CTI is raised by Gatewatcher V103. An attacker may be gathering information with this event.", "attack": ["reconnaissance - Phishing for Information (T1598)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "9c61ab50-5928-472f-847e-585c2012d6a9", "name": "Advanced Threat Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected an advanced threat from an e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "98ad956d-3f52-4ad0-9396-c7750bd63941", "name": "CrowdStrike Falcon Intrusion Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with high severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "45dd3f4e-b662-419b-8621-8cf4b4bc9ed1", "name": "Lacework Cloud Security Medium Severity Alert", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects when a medium alert severity is raised by Lacework. This severity level might indicates a suspicious activity such as new source from user connection.", "attack": ["execution - User Execution (T1204)", "defense-impairment - Modify Cloud Compute Infrastructure (T1578)"], "intake-formats": ["Lacework Cloud Security"]}, {"uuid": "a4bbc0fd-24b6-484d-87df-929ec2ffaa65", "name": "Proofpoint TAP Email Classified As Malware But Allowed", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "An email was classified as malware with a threat score greater than 0 by Proofpoint TAP but was not blocked. The threshold on the Threat Score has been defined to avoid a high amount of false positives.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Proofpoint TAP"]}, {"uuid": "f50fde58-1c7d-4be2-9830-722bbfa2fdfb", "name": "Sophos EDR CorePUA Detection", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially unwanted application.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "521c2752-d48f-4fa3-9c19-bde3b73a2c3f", "name": "Varonis Data Security Email Medium Severity Alert", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Varonis Data Security has raised a medium severity alert related to a supervised email account.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "edab49e0-ca83-4255-b636-c6fbd7e4a6da", "name": "CrowdStrike Falcon Intrusion Detection Medium Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with medium severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "155bac75-4179-46a1-81f1-3a9e2931411c", "name": "Microsoft Defender XDR Cloud App Security Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Microsoft Defender XDR has raised an alert for Microsoft Cloud App Security. The alert info and evidence events are grouped with the similarity into the same Sekoia.io alert.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0d432b2f-e0a1-4d81-bdd6-ef341a09bf9e", "name": "Palo Alto Cortex XDR (EDR) Alert (Critical Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of critical severity (only DETECTED and not SCANNED status).", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "7fdc2381-22d2-43ae-aa22-6a0e6a8abfef", "name": "Broadcom/Symantec Endpoint Security Event Quarantined", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had a quarantined action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "a69827e8-3537-40a3-9638-f4b10274f750", "name": "SentinelOne EDR Malicious Threat Not Mitigated", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat but did not mitigate it, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "68202697-3994-45b6-8074-89a6f90e4448", "name": "Darktrace Threat Visualizer Model Breach Suspicious Activity", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has detected a network critical activity related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "593315ce-94ac-4b23-aa37-bae66e98625b", "name": "CrowdStrike Falcon Mobile Detection Low Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with low severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "c2230143-391a-40d8-95f8-a96e3d6d5eb6", "name": "Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A Palo Alto Cortex XDR (EDR) agent has raised an alert of high severity that was not blocked.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Palo Alto Cortex XDR (EDR)"]}, {"uuid": "bf8d4b77-ab6f-4351-8048-3e488c9581ed", "name": "Broadcom/Symantec Endpoint Security Event Terminate", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security had a process terminate action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "2ff03058-ce93-4e89-8df3-2a62541ce95a", "name": "CrowdStrike Falcon Identity Protection Detection High Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with high severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "09b80858-2b75-40b2-907b-94ee090d2dd5", "name": "Sophos EDR Application Blocked", "effort": "master", "data_sources": ["Anti-virus"], "description": "Sophos EDR detected a potentially malicious application and blocked it.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Sophos EDR"]}, {"uuid": "fcdaf7dc-429b-42e4-b4a5-8e36d169e577", "name": "SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has detected a threat with a medium confidence level (suspicious) but did not mitigate it. This is all defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "74c7ac45-ee22-424b-8898-6810376c01a3", "name": "AWS GuardDuty High Severity Alert", "effort": "master", "data_sources": ["Services", "Application logs"], "description": "GuardDuty has detected a threat with a high severity level. A High severity level indicates that the resource in question (an EC2 instance or a set of IAM user sign-in credentials) is compromised and is actively being used for unauthorized purposes.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["AWS GuardDuty"]}, {"uuid": "2a9eebe9-d9cd-4d45-be1c-30b273d0e0fb", "name": "CrowdStrike Falcon Mobile Detection Informational Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with informational severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "32917b10-b86d-45ca-b207-ec33c6222dd2", "name": "Gatewatcher AionIQ V103 Sigflow Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects a sigflow alert by Gatewatcher AionIQ V103.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "65da0041-935e-49c0-9d04-96083b4c8cd1", "name": "Varonis Data Security Network Low Severity Alert", "effort": "master", "data_sources": ["Anti-virus"], "description": "Varonis Data Security has raised a low severity alert related to a network rule", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": []}, {"uuid": "5b0285b5-9a11-404f-b949-5eb2a338151a", "name": "CrowdStrike Falcon Intrusion Detection Critical Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with critical severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "8dbb9170-1fe5-4d00-a9dc-9f6279671c25", "name": "CrowdStrike Falcon Mobile Detection Medium Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with medium severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "1e8f2f96-a165-46f8-9ba1-f0c8181cfab8", "name": "Broadcom/Symantec Endpoint Security Event Blocked", "effort": "master", "data_sources": ["Anti-virus"], "description": "Broadcom/Symantec Endpoint Security blocked an action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Broadcom/Symantec Endpoint Security"]}, {"uuid": "ced73b74-09e8-4260-8dab-1098a5753391", "name": "CrowdStrike Falcon Mobile Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon for Mobile raised an alert with critical severity", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "98d8af8f-4d43-4fbc-b665-afd3e26f03f4", "name": "Gatewatcher AionIQ V103 Ransomware Detect", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a ransomware is detected by gatewatcherV103.", "attack": ["impact - Data Encrypted for Impact (T1486)"], "intake-formats": ["Gatewatcher AionIQ V103"]}, {"uuid": "6cdb5859-98b4-4831-942e-9f7c6f2853e7", "name": "Varonis Data Security Intrusion Detection Low Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Varonis Data Security has raised a low severity alert for its intrusion detection engine.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "50ba885b-86d8-41ae-ab0d-e62c2410089c", "name": "HarfangLab EDR Critical Threat", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "HarfangLab EDR detected a threat with a critical level. This detection by the EDR is based on several detection rules.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "4f9e2094-1b5e-44b5-a6db-298d19f8d957", "name": "CrowdStrike Falcon Identity Protection Detection Critical Severity", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon raised an alert for an Identity-based detection with critical severity", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "48a2682f-b224-410f-b9a5-dd68a7ea0e9b", "name": "SentinelOne EDR Threat Mitigation Report Quarantine Failed", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has failed to quarantine a threat, defined by the action.type field's value.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "def4d95c-e759-4621-8faa-fadc17eddef2", "name": "SentinelOne EDR Agent Disabled", "effort": "master", "data_sources": ["Anti-virus"], "description": "A SentinelOne EDR agent has been disabled according to SentinelOne logs.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["SentinelOne EDR"]}, {"uuid": "f00733ac-3bae-4153-9ed3-1f7d25d0572a", "name": "Trend Micro Cloud One High Intrusion", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Trend Micro EDR raised an alert for an intrusion with a high severity level.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": ["Trend Micro Cloud One / Deep Security"]}, {"uuid": "750ea1db-da63-4dc4-872d-089155e29d1c", "name": "Darktrace Threat Visualizer Threat Critical Alert", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has raised a threat critical alert related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "3b1b4cd2-36a0-49a6-a79c-19fb4c58971b", "name": "Darktrace Threat Visualizer Model Breach Critical Activity", "effort": "master", "data_sources": ["DNS records", "Web logs"], "description": "Darktrace Threat Visualizer has detected a network critical activity related to one supervised device", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Darktrace Threat Visualizer"]}, {"uuid": "8e3bd433-37bc-44d9-8498-e55ea86cf543", "name": "CrowdStrike Falcon Intrusion Detection Low Severity EppDetection", "effort": "master", "data_sources": ["Anti-virus"], "description": "CrowdStrike Falcon agent raised an alert for an intrusion detection with low severity with the new EppDetectionSummaryEvent.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["CrowdStrike Falcon"]}, {"uuid": "dfb62fa7-c737-4afb-86a3-76a77d772f70", "name": "Spam Detected By Hornetsecurity 365 Total Protection", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Hornetsecurity 365 Total Protection has detected a spam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Hornetsecurity 365 Total Protection"]}, {"uuid": "744922cf-e4ee-40c8-95cc-51e999b94be5", "name": "Login Brute-Force Successful Linux", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) and succeeded to login on the linux monitored endpoint.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "4595f98d-9464-45d8-9b2d-98ac50d35875", "name": "Shell PID Injection", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when shells PID are listed and injected in another process. It can be performed to reuse sudo token related to shell in order to elevate privilege and maintain persistence.", "attack": ["privilege-escalation - Access Token Manipulation (T1134)", "persistence - Authentication Package (T1131)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)", "discovery - Account Discovery (T1087)", "discovery - Remote System Discovery (T1018)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "24ec3da6-0ba4-4c68-9aff-838899a18890", "name": "Fail2ban Unban IP", "effort": "advanced", "data_sources": ["Process monitoring"], "description": "An IP was ubaned by Fail2ban. It could be use to allow malicous traffic.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "2fd41964-b588-4ab7-adba-e9b08c6dba92", "name": "Remote File Copy", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the use of remote tools that copy files from or to remote systems", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "c31a6fcb-39f4-44b2-95e8-ebddf9ffcec1", "name": "Linux Masquerading Space After Name", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "This detection rule identifies a process created from an executable with a space appended to the end of the name.", "attack": ["stealth - Space after Filename (T1036.006)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Google Kubernetes Engine", "Daspren Parad", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "Systancia Cleanroom", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "4cc5bc62-6585-4034-bb52-6e677d72d648", "name": "Landlock Denied Access", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Landlock LSM (Linux Security Module), has denied an access requests. This is logged by default for a program compiled with Landlock since Linux kernel 6.15.", "attack": ["defense-impairment - Subvert Trust Controls (T1553)"], "intake-formats": []}, {"uuid": "747480aa-cb37-486a-a035-d2884c2ee625", "name": "Network Sniffing", "effort": "advanced", "data_sources": ["Host network interface", "Process command-line parameters", "Process monitoring"], "description": "List of common tools used for network packages sniffing", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "fb940389-cb8c-41cc-9db2-6bf39d3bf551", "name": "SSH X11 Forwarding", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user creates and uses SSH X11 Forwarding in Linux, the sshd process opens sockets to communicate with the client machine via a ssh tunnel. X11 forwarding is used to deport graphic programs on the client side.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "5956caeb-3bd8-42f9-9def-e7967764b574", "name": "SELinux Disabling", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "An attacker can disable SELinux to make workstation or server compromise easier as it disables several protections.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["IBM AIX", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "1a0242df-3b77-4ae2-a1e5-78dd7ad8390c", "name": "SSH Port Binding", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user uses SSH tunneling in Linux, the sshd process binds sockets to communicate with the client machine via a ssh tunnel. With SSH tunneling, the SSH server can be used as a getaway to access internal systems. The traffic will seem to be coming from the SSH server whereas it only acts as a relay for an attacker. By using this technique, an attacker can successfully bypass external firewall rules. This rule is the most basic one (compared to the other one - SSH Tunnel), however it can detect the -D option in the ssh command if the machine is the client. This rule will detect the port binding (port 6010) when X11 forwarding is used. It will detect -R (server side), -D (client side) -X (server side), -Y (server side) and -L (client side) port binding.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": []}, {"uuid": "1dc747ed-206a-4e1f-b284-70e5973e61ee", "name": "Certificate Authority Modification", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.", "attack": ["defense-impairment - Install Root Certificate (T1553.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "VMware ESXi", "Windows Log Insight", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "1e9de869-252f-48be-9388-0a0d5e402eb8", "name": "Write To File In Systemd", "effort": "advanced", "data_sources": ["File monitoring"], "description": "A user tried to write something to a file in /etc/systemd/system. This repository contains services that are run at start. It can be used to run a malicious programm at start with high privileges. The prerequisites are to enable monitoring of the execve openat using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)"], "intake-formats": []}, {"uuid": "93f62e0e-d8eb-4b2b-b80d-5ea92b1b9f68", "name": "Correlation Netcat Infection Chain", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detect netcat connection to download et execute payload via piped bash", "attack": ["execution - Unix Shell (T1059.004)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "WALLIX Bastion", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "NucleonEDR"]}, {"uuid": "0e156f31-8d70-47b2-ab26-7a57ca9ee907", "name": "Address Space Layout Randomization (ASLR) Alteration", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "privilege-escalation - Proc Memory (T1055.009)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8df30f04-6124-43c7-929b-656504ee64d0", "name": "Process Anti Debug Checking", "effort": "master", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Entries in /proc/self/status are used by malware to checks if current process is being debug. The prerequisites are to enable monitoring of the openat, openat2, open and open_by_handle_at syscalls using Auditbeat.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": []}, {"uuid": "3d4556e7-1d00-4fcf-9093-a9430f2e40be", "name": "Socat Reverse Shell Detection", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Socat is a linux tool used to relay or open reverse shell that is often used by attacker to bypass security equipment.", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "131d52bd-ada7-4f45-b640-b6d223368c2d", "name": "System Info Discovery", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "System info discovery, attempt to detects basic command use to fingerprint a host.", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "221ccb62-3ee7-4ed1-9297-713e620e8388", "name": "Dynamic Linker Hijacking From Environment Variable", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation.", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d5277ae5-c49b-455a-98d1-6780e77728fc", "name": "Linux Shared Lib Injection Via Ldso Preload", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detect ld.so.preload modification for shared lib injection, technique used by attackers to load arbitrary code into process", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Sophos EDR", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "0759097a-dc56-47c6-97fc-397caeff2fa4", "name": "Correlation Linux Decode And Exec", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "A Base64 string has been decoded and executed through a pipe. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "aa00ca83-b6b4-417a-9c06-a5ae5b71fa0d", "name": "Main Memory Dumping", "effort": "advanced", "data_sources": ["File monitoring"], "description": "Attacker might want to leverage their permission on the system or steal authentication tokens to third parties software, website, etc. To do so, attacker might try to dump main memory of computer. The prerequisites are to enable monitoring of the openat and open syscalls using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)", "credential-access - Proc Filesystem (T1003.007)"], "intake-formats": []}, {"uuid": "a93fcd3e-4c16-4ef7-b5d8-d642770915be", "name": "Raw Reverse Shell", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipment or for a sack of simplicity attackers can open raw reverse shell using sh and or bash commands", "attack": ["execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "a301e3fb-f26c-4879-a3e7-742295266421", "name": "SSH Tunnel Traffic", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process monitoring"], "description": "When a user creates and uses a SSH tunnel in Linux, the sshd process opens sockets to communicate with other machines or ports. With SSH tunneling, the SSH server can be used as a getaway to access internal systems. The traffic will seem to be coming from the SSH server whereas it only acts as a relay for an attacker. By using this technique, an attacker can successfully bypass external firewall rules and gain foothold to your network, allowing him to scan,hunt and attack your internal systems. This rule includes a filter on port 22, this filter is created to avoid false positive when a user is connecting via ssh. If you do not use port 22 for your machines, please create an alert filter.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "f4dea50f-07fc-4c86-8c47-b4d37410023b", "name": "Socat Relaying Socket", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "c8bf9268-1c55-4bdd-a9da-7d19e3237300", "name": "Many Downloads From Several Binaries", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "Threat Actors might use all the binaries to download the payload to make sure at least one is present on the target. The prerequisites are to enable monitoring of the connect syscall using Auditbeat.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "a3b6b2cc-2750-443e-92e8-878bfa7828fc", "name": "Kernel Module Alteration", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. The prerequisites are to enable monitoring of the finit_module, init_module, delete_module syscalls using Auditbeat.", "attack": ["privilege-escalation - Kernel Modules and Extensions (T1547.006)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "d43e2999-aa7e-45e2-a13a-0f35fcc92b4c", "name": "Interactive Terminal Spawned via Python", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "8a4b8e98-1585-4b3a-b240-e9b4ae285621", "name": "Linux Capabilities Discovery", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0). This rule aims to detect discovery of such capabilities on the Linux system. The prerequisites are to enable monitoring of the execve and getxattr syscalls using Auditbeat.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": []}, {"uuid": "c29c6591-54ff-433b-afc7-dacde0f75246", "name": "CVE 2022-1292", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.", "attack": ["stealth - Indirect Command Execution (T1202)"], "intake-formats": ["OCSF", "Trend Micro Vision One OAT [BETA]", "Tanium", "WithSecure Elements", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "628013a2-4262-495f-850d-9a46f0bf8f80", "name": "CVE-2021-4034 Polkit's pkexec", "effort": "intermediate", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detection of Polkit's pkexec exploit", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["IBM AIX", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "87cd36b2-afe4-4d79-ae0f-d06e7f2e5175", "name": "Erase Shell History", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Malware and attacker try to reduce their fingerprints on compromised host by deleting shell history.", "attack": ["stealth - Clear Command History (T1070.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "4688c4db-afb3-4547-b92d-9ed78053653d", "name": "Linux Remove Immutable Attribute", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Adversaries may used chattr utility to alter file and folder attributes to control sudden operations like the deletion and modification of files.", "attack": ["defense-impairment - Linux and Mac Permissions (T1222.002)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "6f1b77fa-1d21-4084-b192-bd0405b57e03", "name": "Python Offensive Tools and Packages", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Track installation and usage of offensive python packages and project that are used for lateral movement.", "attack": ["execution - Python (T1059.006)"], "intake-formats": ["IBM AIX", "Elastic Winlogbeat", "Tanium", "WithSecure Elements", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Stormshield SNS", "Juniper NGFW", "Trend Micro Apex One / Vision One endpoint", "Barracuda CloudGen Firewall", "Elastic AuditBeat Linux", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "b9facd50-b316-4e4a-b3d7-57f4b3521e4e", "name": "Default User www data User Compromised", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "User www_data by default cannot log and use a shell, any syscall of type execve induce user compromise", "attack": ["persistence - Web Shell (T1505.003)", "execution - Unix Shell (T1059.004)"], "intake-formats": []}, {"uuid": "7a44a445-8532-464d-af4e-cfbf66371b28", "name": "Process Memory Dumping From proc Filesystem", "effort": "master", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Attacker might want to leverage their permission on the system or steal authentication to third parties software, website, etc.. To do so, attacker might try to dump memory of interesting process, for instance ftp-server or web server to dig for authentication login and password. The prerequisites are to enable monitoring of the openat and open syscalls using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)", "credential-access - Proc Filesystem (T1003.007)"], "intake-formats": []}, {"uuid": "7811968a-dda4-4bc7-b5cf-20b7fca2454d", "name": "Linux Suspicious Nohup Exec", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects suspicious usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", "attack": ["stealth - Ignore Process Interrupts (T1564.011)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "7cb3f329-8d12-4065-8dd1-fdb91da7eecf", "name": "Linux Suspicious Search", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Adversaries may search for private key on compromised systems", "attack": ["credential-access - Private Keys (T1552.004)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "34a2840f-814c-41c7-b39c-b40c0e0625f2", "name": "Add User to Privileged Group", "effort": "advanced", "data_sources": ["File monitoring", "Host network interface", "Process command-line parameters", "Process monitoring"], "description": "Add user in a potential privileged group which can be used to elevate privileges on the system.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "752fd068-7373-4c6a-a0fd-37ecdbf11b26", "name": "Cron Files Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. To ensure full performance on this rule, `auditbeat` intake must be configure with the module `file_integrity` containing path mentionned in the pattern.", "attack": ["privilege-escalation - Cron (T1053.003)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Netskope", "Tanium", "Juniper NGFW", "ManageEngine ADAudit Plus", "Trend Micro Apex One / Vision One endpoint", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "BeyondTrust PRA Team [BETA]", "IBM iSeries", "NucleonEDR", "Elastic Winlogbeat", "HarfangLab EDR"]}, {"uuid": "9d71726f-0f5a-4b03-8712-6f5465aa22e9", "name": "Python Exfiltration Tools", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Python has some built-in modules or library that could be installed and later be used as exflitration tool by an attacker", "attack": ["exfiltration - Automated Exfiltration (T1020)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "d4afadc0-9754-4f13-87a0-2a7f24a94d37", "name": "Network Scanning and Discovery", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Tools and command lines used for network discovery from current system", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "304ce000-e43c-4865-8dff-1f9c7a654180", "name": "Linux Suspicious Auto-start Desktop Shortcut Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "This detection rule identifies a suspicious process start from an graphical env process which may indicate the use of a malicious .desktop shortcut.", "attack": ["privilege-escalation - XDG Autostart Entries (T1547.013)"], "intake-formats": ["OCSF", "Trend Micro Vision One OAT [BETA]", "Tanium", "WithSecure Elements", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "18b9f844-78cd-4234-8885-1ab32a456163", "name": "Process Trace Alteration", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "PTrace syscall provides a means by which one process (\"tracer\") may observe and control the execution of another process (\"tracee\") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.", "attack": ["credential-access - Proc Filesystem (T1003.007)"], "intake-formats": ["Cisco NX-OS", "NeroSwarm Honeypot", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Trellix Network Security", "Broadcom/Symantec Endpoint Security", "CyberArk Audit Logs", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Palo Alto NGFW", "Sophos EDR", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "ManageEngine ADAudit Plus", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Varonis Data Security", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5ad1fc9f-0e65-42b3-b019-735b862c86ed", "name": "Disabled Service", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Service disabling can be abused by attacker to deny security mecanisms (eg: firewall, EDR, ect) and it is also often used by cryptominer to exploit as much RAM & CPU as possible on infected host. The prerequisites are to enable monitoring of the truncate, rename and unlink syscalls using Auditbeat.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "impact - Service Stop (T1489)"], "intake-formats": ["IBM AIX", "Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Juniper NGFW", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "b9613c8e-34a9-4883-8a97-a73950c7a499", "name": "Linux Fileless Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Process image resolved to memfd syscall. Could be used by adversaries to hide malware", "attack": ["stealth - Reflective Code Loading (T1620)"], "intake-formats": ["Elastic AuditBeat Linux"]}, {"uuid": "3819ae60-d5c6-4aef-abc4-0048e75972fa", "name": "SSH Reverse Socks", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects the usage of the -R option combined with StrictHostKeyChecking, which is an indication of using SSH for reverse socks.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "f40077d3-0f9e-4cca-9ed6-40d20dd4d7a9", "name": "Setuid Or Setgid Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the usage of a setuid or a setgid. The prerequisites are to enable monitoring of the setuid and setgid syscalls using Auditbeat.", "attack": ["privilege-escalation - Setuid and Setgid (T1548.001)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "46c83294-5147-4531-b0fd-f29bae39e1de", "name": "File and Directory Permissions Modification", "effort": "advanced", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring"], "description": "Detects the use of chmod to give high level permissions to file that might be binary files. The prerequisites are to enable monitoring of the fchmodat, chmod and fchmod syscalls using Auditbeat.", "attack": ["defense-impairment - Linux and Mac Permissions (T1222.002)"], "intake-formats": ["Elastic AuditBeat Linux", "Sekoia.io Endpoint Agent"]}, {"uuid": "af72d787-7c5e-4592-b644-85897c5fc125", "name": "Generic-reverse-shell-oneliner", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipement or for a sack of simplicity attackers can open raw reverse shell using shell commands", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "87e54a2b-087f-458b-99b1-30d945a32c23", "name": "Linux Ldpreload Modification", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Detect ld.so.preload modification for shared lib injection, technique used by attackers to load arbitrary code into process", "attack": ["execution - Dynamic Linker Hijacking (T1574.006)"], "intake-formats": []}, {"uuid": "2284d3f4-22e2-4744-954d-3d26bb0fae68", "name": "Package Manager Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Package manager (eg: apt, yum) can be altered to install malicious software. To ensure full performance on this rule, `auditbeat` intake must be configure with the module `file_integrity` containing path mentionned in the pattern.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Netskope", "Tanium", "Juniper NGFW", "ManageEngine ADAudit Plus", "Trend Micro Apex One / Vision One endpoint", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "BeyondTrust PRA Team [BETA]", "IBM iSeries", "NucleonEDR", "Elastic Winlogbeat", "HarfangLab EDR"]}, {"uuid": "cc991200-e911-4780-b2c0-d2e21179b5fb", "name": "Linux Binary Masquerading", "effort": "elementary", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Attackers could rename legitimate system bin to evade security mechanisme. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Elastic AuditBeat Linux"]}, {"uuid": "fd627ef0-74e9-4c3d-8200-fcbb6fef42e0", "name": "Linux Bash Reverse Shell", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "To bypass some security equipement or for a sack of simplicity attackers can open raw reverse shell using shell commands", "attack": ["execution - Unix Shell (T1059.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "27c754fe-f46a-441b-b8c7-336e0a961ff6", "name": "Binary List Tcp", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring"], "description": "A binary is trying to list TCP connections. The prerequisites are to enable monitoring of the open and openat syscalls using Auditbeat.", "attack": ["command-and-control - Port Knocking (T1205.001)"], "intake-formats": []}, {"uuid": "482eaecc-7d67-4d75-b2ec-9db7406e8443", "name": "SSH Authorized Key Alteration", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.", "attack": ["privilege-escalation - SSH Authorized Keys (T1098.004)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Netskope", "Tanium", "Juniper NGFW", "ManageEngine ADAudit Plus", "Trend Micro Apex One / Vision One endpoint", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "CyberArk Audit Logs", "BeyondTrust PRA Team [BETA]", "IBM iSeries", "NucleonEDR", "Elastic Winlogbeat", "HarfangLab EDR"]}, {"uuid": "c7a68bf0-4b56-4491-8553-2e34741fc342", "name": "Write To File In Sudoers.d Folder", "effort": "advanced", "data_sources": ["File monitoring"], "description": "A user tried to write something to a file in /etc/sudoers.d. It can be used to elevate privilege related to sudo and make it persistent. The prerequisites are to enable monitoring of the openat syscall using Auditbeat.", "attack": ["credential-access - /etc/passwd and /etc/shadow (T1003.008)"], "intake-formats": []}, {"uuid": "a2315508-0dd5-4f92-98d1-2c57c29966da", "name": "Docker Escape Bind Mount", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Catch Docker escape via mount escape followed by chroot ", "attack": ["execution - Deploy Container (T1610)", "privilege-escalation - Escape to Host (T1611)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "db994091-8b28-45f5-a66b-90c06f5fa7a6", "name": "Container Credential Access", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token", "attack": ["credential-access - Container API (T1552.007)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "4c61a2b5-4ae5-4c5b-a674-32e2feb7f44e", "name": "Listing Systemd Environment", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "47afc02c-9d59-4f31-a12b-5e70082b082b", "name": "Unusual Process Executed in Temporary Directory", "effort": "master", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware. The prerequisites are to enable monitoring of the execve syscall using Auditbeat.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": []}, {"uuid": "cb79d0a8-2ea7-41e6-9723-6fe357d9b2cd", "name": "Microsoft Defender Antivirus Exclusion Configuration", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Anti-virus"], "description": "Detects when an exclusion configuration change is made to Microsoft Windows Defender (adding either a path or process bypass)", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "c08af59a-0d3a-4138-a345-acf3a8819bfb", "name": "Suspicious Netsh DLL Persistence", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.", "attack": ["persistence - Netsh Helper DLL (T1546.007)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "4f036b22-9f50-4f1b-9995-1d65e4b9c1b8", "name": "RedMimicry Winnti Playbook Registry Manipulation", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "04ca5e61-a17e-4609-9e20-08d002c1d66f", "name": "Suspicious Commands From MS SQL Server Shell", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detection of some shell commmands run from a cmd executed by Microsoft MS SQL Server. It could be a sign of xp_cmdshell allowed on the MS-SQL server.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Elastic Winlogbeat", "Tanium", "SentinelOne Cloud Funnel 2.0", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "233f1e82-be44-4e00-98b6-de1a3d2f9071", "name": "Process Memory Dump Using Createdump", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of createdump.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "b4d66207-82ae-485b-bb17-acde55768451", "name": "Suspicious Scripting In A WMI Consumer", "effort": "intermediate", "data_sources": ["Windows event logs", "WMI Objects"], "description": "Detects suspicious scripting in WMI Event Consumers. The rule requires to log WMI Consumers, which can be done through Sysmon's Event IDs 20 and 21.", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "ee62b40a-9d08-40c2-84a5-6dba38eb9182", "name": "Malware Persistence Registry Key", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects registry key used by several malware, especially Formbook spyware in two ways, either the Sysmon registry events, or the commands line.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)", "persistence - Registry Run Keys / Startup Folder (T1060)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "294f8728-57ee-478d-bf32-6252184f4a56", "name": "Process Memory Dump Using Rdrleakdiag", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "dbc59017-69d0-414e-8036-7a34a24e78d8", "name": "Data Compressed With Rar With Password", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "53519203-520a-4f47-b1b5-41aed5e3cbb8", "name": "Bloodhound and Sharphound Tools Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.", "attack": ["discovery - Local Account (T1087.001)", "discovery - Domain Account (T1087.002)", "discovery - Domain Trust Discovery (T1482)", "discovery - Local Groups (T1069.001)", "discovery - Domain Groups (T1069.002)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "VMware ESXi", "Windows Log Insight", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "5fd5c30d-0305-49b2-a1a7-e977da5293e7", "name": "RTLO Character", "effort": "elementary", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects RTLO (Right-To-Left character) in file and process names.", "attack": ["stealth - Right-to-Left Override (T1036.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "c9ed5d2e-d22b-4e11-b1b0-3992ba635170", "name": "Taskhostw Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Taskhostw process was executed by a non-legitimate parent process. Taskhostw is a software component of Windows service start manager, it starts DLL-based Windows services when the computer boots up.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "420db69e-4279-4a54-a2ed-42de6244f276", "name": "Invoke-TheHash Commandlets", "effort": "elementary", "data_sources": ["Process command-line parameters", "PowerShell logs", "Windows event logs"], "description": "Detects suspicious Invoke-TheHash PowerShell commandlet used for performing pass the hash WMI and SMB tasks.", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "152bf729-1967-46bf-b31b-30d8780477aa", "name": "WMI Persistence Command Line Event Consumer", "effort": "elementary", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects WMI command line event consumers.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Windows", "HarfangLab EDR", "SentinelOne Cloud Funnel 2.0"]}, {"uuid": "eb960f64-2aac-462d-b069-e94deaed7568", "name": "Lateral Movement Remote Named Pipe", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects lateral movement and remote exec using named pipe over network. This requires Windows Security event logging with the File Share enable policy.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "05ed23d0-27f2-4fcb-8e9e-6d2e3481cc52", "name": "KeePass Config XML In Command-Line", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "15710f0a-59d0-4ae2-9b13-05ac6f9cf6fe", "name": "Domain Trust Created Or Removed", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.", "attack": ["privilege-escalation - Trust Modification (T1484.002)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b0d4e25e-a745-11eb-b949-f0d5bf514442", "name": "Suspicious Access To Sensitive File Extensions", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects known sensitive file extensions accessed on a network share. This activity could possibly correspond to a malicious one (removing backup, reading sensitive files, etc.).", "attack": ["collection - Data from Network Shared Drive (T1039)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "89974e5e-bcec-402d-b5bb-14210c16bb16", "name": "Disable Security Events Logging Adding Reg Key MiniNt", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.  Prerequisites: Logging for Registry events for this specific registry key is needed in the Sysmon configuration (events 12, 13 and 14).", "attack": ["stealth - Disable Windows Event Logging (T1562.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "95df7b9f-9cf2-4f3e-8483-2765536198f7", "name": "Exchange Server Spawning Suspicious Processes", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Look for Microsoft Exchange Server\u2019s Unified Messaging service spawning suspicious sub-processes, suggesting exploitation of CVE-2021-26857 vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "16590703-89ad-4e0f-9c3d-6ec7678be647", "name": "Information Stealer Downloading Legitimate Third-Party DLLs", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects operations that involved legitimate third-party DLLs used by information-stealing malware for data collection on the infected host. This detection rule correlates at least 7 events including the following DLLs - freebl3.dll, vcruntime140.dll, msvcp140.dll, nss3.dll, sqlite3.dll, softokn3.dll, mozglue.dll and libcurl.dll. This behaviour matches activities of several widespread stealer like Vidar, Raccoon Stealer v2, Mars Stealer, etc.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)", "credential-access - Credentials from Password Stores (T1555)", "collection - Data from Local System (T1005)"], "intake-formats": ["IBM AIX", "Cisco NX-OS", "SonicWall Firewall", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "IBM iSeries", "Trend Micro Apex One / Vision One endpoint", "Barracuda CloudGen Firewall", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "4737a5a2-0260-4219-9cd2-9dfac273f2c7", "name": "Wmic Service Call", "effort": "intermediate", "data_sources": ["Process command-line parameters", "PowerShell logs", "Windows event logs"], "description": "Detects either remote or local code execution using wmic tool.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "146c8187-a4a6-480a-b681-c28f5d95c91d", "name": "Suspicious Regasm Regsvcs Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "catch abuse of regsvcs and regasm lolbin by attacker", "attack": ["stealth - Regsvcs/Regasm (T1218.009)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "0f617c02-96f9-4d94-add6-8825a809f1ae", "name": "Dynwrapx Module Loading", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects the loading of DynamicWrapperX (Dynwrapx). It is used by some malware in their infection chain and could help to detect its usage from vbs/wscript/cscript scripts. This is based on Microsoft Windows Sysmon events (Event ID 7).", "attack": ["stealth - Regsvr32 (T1218.010)", "privilege-escalation - Dynamic-link Library Injection (T1055.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "1ac56867-c34a-4a19-b73a-2df7151a8e12", "name": "Correlation Multi Service Disable", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The rule detects a high number of services stopped or de-activated in a short period of time.", "attack": ["impact - Service Stop (T1489)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "4e7b3d76-62cd-4694-a4c3-c0e33c663034", "name": "Microsoft Defender Antivirus Disabled Base64 Encoded", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line or scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "7ebce905-306d-42eb-8945-aa6bfa2881b5", "name": "Sticky Key Like Backdoor Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13).", "attack": ["persistence - Accessibility Features (T1546.008)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f93f7e76-75f9-46ee-b5ea-796590165f24", "name": "NetSh Used To Disable Windows Firewall", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects NetSh commands used to disable the Windows Firewall", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "916509f0-5ee0-4f07-91a4-cf5c43c70357", "name": "Correlation Supicious Powershell Drop and Exec", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network"], "description": "Detects a PowerShell process that download and exec a payload", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Juniper NGFW", "Stormshield SES", "SentinelOne EDR", "Windows", "Cisco Secure Firewall", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0"]}, {"uuid": "b5624a26-9a00-4599-86b8-0f14048ea295", "name": "Mustang Panda Dropper", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects specific process parameters as used by Mustang Panda droppers", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "2ed238bb-57d9-45df-b6b2-f398b9eea7a0", "name": "Execution From Suspicious Folder", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a suspicious execution from an uncommon folder", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "3542e247-3d56-444d-a530-749ccb0e24f2", "name": "Remote Registry Management Using Reg Utility", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Remote registry management using REG utility from non-admin workstation. This requires Windows Security events logging.", "attack": ["persistence - Modify Registry (T1112)", "discovery - Query Registry (T1012)", "credential-access - Credentials in Registry (T1552.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "554652de-dfa0-4e1a-a342-44a7dbae5466", "name": "Mimikatz Basic Commands", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Windows event logs"], "description": "Detects Mimikatz most popular commands. ", "attack": ["privilege-escalation - Account Manipulation (T1098)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "7b350761-eb2f-4eab-ad5f-48619c99fb01", "name": "Suncrypt Parameters", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters"], "description": "Detects SunCrypt ransomware's parameters, most of which are unique.", "attack": ["impact - Data Encrypted for Impact (T1486)", "impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "cb0a6215-874e-4a5b-8feb-571ddf3bfcee", "name": "Reconnaissance Commands Activities", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Based on Cynet, Microsoft and Kaspersky analysis of Qakbot, this rule tries to detect some discovery TTPs.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)", "discovery - Account Discovery (T1087)", "discovery - System Network Configuration Discovery (T1016)", "discovery - System Network Connections Discovery (T1049)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "e0df67ae-832c-4706-a8db-eb17fd26116e", "name": "Narrator Feedback-Hub Persistence", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "The Windows 10 Narrator's Feedback-Hub registry key has been modified which could be done by an attacker for persistence purposes. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13). Careful since the SwiftOnSecurity Sysmon's configuration needs to be changed to log for this specifically.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "36b02718-9fa7-4f68-a56e-b0a8cd364508", "name": "Tactical RMM Installation", "effort": "elementary", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detection of common Tactical RMM installation arguments that could be abused by some attackers.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "be611007-f660-4d77-bc22-3324f50da1c9", "name": "Python Opening Ports", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects when the Windows Filtering Platform has permitted Python.exe to listen on a port for incoming connections. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else. ", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2f26e29b-b3fb-4681-b3ee-3a79d2207862", "name": "Suspicious desktop.ini Action", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "attack": ["privilege-escalation - Shortcut Modification (T1547.009)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Daspren Parad", "SentinelOne EDR", "Kaspersky Endpoint Security", "Windows", "Trellix ePO (on-prem)", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "6124e5cf-87bd-4f04-beca-37188633a1c7", "name": "Unsigned Driver Loaded From Suspicious Location", "effort": "advanced", "data_sources": ["Kernel drivers", "Loaded DLLs"], "description": "Detects when a driver is unsigned and loaded from a suspicious directory.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "Sekoia.io Endpoint Agent"]}, {"uuid": "af2bb186-13d5-473f-b4df-95d8fe6ddae8", "name": "SCM Database Privileged Operation", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects non-system users performing privileged operation on the SCM database", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c81e28f7-ff79-4407-a214-9139b8717d8c", "name": "SquirrelWaffle Malspam Execution Loading DLL", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects cscript running suspicious command to load a DLL. This behavior has been detected in SquirrelWaffle campaign.", "attack": ["execution - Malicious File (T1204.002)", "execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "a82fa4da-6a5c-4776-8615-e02d168c8718", "name": "Screenconnect Remote Execution", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detect cmd or powershell remote execution cmdline via ScreenConnect", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - PowerShell (T1059.001)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "dd84411b-7ab9-4d85-93f3-06c042308596", "name": "Process Hollowing Detection", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detection of process hollowing using Sysmon Event ID 25. It detects that an image has been replaced in a process memory.", "attack": ["privilege-escalation - Process Hollowing (T1055.012)"], "intake-formats": ["Azure Windows", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "8a2859e8-4c76-11ec-a920-167732585753", "name": "Process Memory Dump Using Comsvcs", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of comsvcs in command line to dump a specific process memory. This technique is used by attackers for privilege escalation and pivot.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6704b0b1-e74f-4af7-adfa-8a4b4396c343", "name": "WMIC Uninstall Product", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects products being uninstalled using WMIC command.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "execution - Windows Management Instrumentation (T1047)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "1ed77d3b-81fb-4f4d-994e-5ffa85e1a8d2", "name": "Adidnsdump Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects use of the tool adidnsdump for enumeration and discovering DNS records.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "SonicWall Firewall", "WALLIX Bastion", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "ManageEngine ADAudit Plus", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Varonis Data Security", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "f3f866f5-6d65-4bc1-a4e2-30dd7c170d78", "name": "Abusing Azure Browser SSO", "effort": "master", "data_sources": ["Loaded DLLs", "Windows event logs"], "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. This technique leverages the COM object (CoCreateInstance), which loads the DLL \"C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll\", to get an authentication token. Monitoring the load of this DLL can detect an attacker abusing this technique. More details on this technique are available in the article in the source section. The prerequisite is to log for Loaded DLLs, it can be done using the Sysmon Event ID 7 (DLL image loaded by process). ", "attack": ["credential-access - Exploitation for Credential Access (T1212)", "credential-access - Steal Application Access Token (T1528)", "lateral-movement - Application Access Token (T1550.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "65cf7088-7967-4f25-be9a-02b05f8820b0", "name": "Malspam Execution Registering Malicious DLL", "effort": "elementary", "data_sources": ["DLL monitoring", "File monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the creation of a file in the C:\\Datop folder, or DLL registering a file in the C:\\Datop folder. Files located in the Datop folder are very characteristic of malspam execution related to Qakbot or SquirrelWaffle. Prerequisites are Logging for File Creation events, which can be done in the Sysmon configuration (events 11), for the first part of the pattern (TargetFilename).", "attack": ["execution - Malicious File (T1204.002)", "execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "50d57ddd-e560-48d8-9529-4e303d3bd2a2", "name": "BazarLoader Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d322ad1c-37ff-4b46-b8ca-532532776693", "name": "Suspicious Outbound Kerberos Connection", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "196b2bd4-6a90-4a40-b093-7f4de21950e5", "name": "Secure Deletion With SDelete", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects renaming of file while deletion with SDelete tool. SDelete is a tool that permits to securely delete files by overwriting them (no recovery possible). Few threat actors are using it to delete traces of their malware.", "attack": ["stealth - File Deletion (T1070.004)", "stealth - Indicator Removal from Tools (T1027.005)", "impact - Data Destruction (T1485)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "789f3a8c-7c0b-4b49-b1dd-eecc6cefd531", "name": "Usage Of Sysinternals Tools", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry. The rule detects it either from the command line usage or from the regsitry events. For the later prerequisite is logging for registry events in the Sysmon configuration (events 12 and 13).", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "bee5faff-703f-4cda-9e2e-8555bc4feff4", "name": "Active Directory Database Dump Via Ntdsutil", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the dump of ntdis.dit database by using the utility ntdsutil.exe. NTDS.dit database stores Active Directory data, including passwords hashes for all users in the domain.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Check Point NGFW", "Windows", "Sekoia.io Endpoint Agent", "Forcepoint Next-Generation Firewall"]}, {"uuid": "7c697f98-dea5-4d9b-8266-9a0ddc145c91", "name": "Netsh Allowed Python Program", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "3de38882-4782-4d8e-a8a9-f5a7024729ea", "name": "Autorun Keys Modification", "effort": "master", "data_sources": ["Windows Registry"], "description": "Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "795c1a07-d8a8-497d-9632-2ed5cc86a739", "name": "SysKey Registry Keys Access", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey. The SysKey allows to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts passwords. Adversaries can calculate the Syskey by using RegOpenKeyEx/RegQueryInfoKey API calls to query the appropriate class info and values from the HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\JD, HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Skew1, HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\GBG, and HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Data keys.", "attack": ["discovery - Query Registry (T1012)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "64637a76-8fe7-47fc-9769-81a6e5b2ac52", "name": "Correlation Post Exploitation Patterns Via Winrm", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "This rule detects a sequence of post exploitation commands (e.g., whoami, net, ipconfig) executed via WinRM on host within a short timeframe", "attack": ["stealth - Clear Mailbox Data (T1070.008)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "dc9fa397-87af-4df4-85f1-ead2644e2241", "name": "Failed Logon Followed By A Success From Public IP Addresses", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "A login from a public IP can indicate a misconfigured firewall or network boundary. The detection look for 5 or more failed attemps followed by a successfull one. The sekoia.tags are used to filter internal Ipv4 addresses.", "attack": ["initial-access - Valid Accounts (T1078)", "initial-access - Exploit Public-Facing Application (T1190)", "initial-access - External Remote Services (T1133)"], "intake-formats": []}, {"uuid": "1425baaa-5292-4cba-9104-437a4dbff2c7", "name": "Rare Logonui Child Found", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It not only makes it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This process could create a child process but it is very rare and could be a signal of some process injection.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "ecf164f3-ba2e-4e36-9c5b-653a15244306", "name": "Netscan Share Access Artefact", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects netscan artefact on windows network share - indicate network share discovery.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "5c1a7a47-b7c7-4801-9d6e-8e9bdaaa58f3", "name": "Suspicious Process Requiring DLL Starts Without DLL", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects potential process injection and hollowing on processes that usually require a DLL to be launched, but are launched without any argument. ", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "Sekoia.io Endpoint Agent", "Tanium", "WithSecure Elements", "Stormshield SES", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "a8f41ba4-ad15-4a4e-862a-f44faf2dc9a8", "name": "Wininit Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Windows Boot is a background application launcher for the Windows operating system. Wininit.exe is responsible for performing the Windows initialization process. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "4a7dbc0c-6baa-4a42-8e2e-ad6b5805c1f2", "name": "Copy Of Legitimate System32 Executable", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "A script has copied a System32 executable.", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "3bb9a2c9-1684-4a87-b2a2-70b4be889b29", "name": "Logon Scripts (UserInitMprLogonScript)", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects creation or execution of UserInitMprLogonScript persistence method. The rule requires to log for process command lines and registry creations or update, which can be done using Sysmon Event IDs 1, 12, 13 and 14.", "attack": ["privilege-escalation - Logon Script (Windows) (T1037.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e21b9130-02dc-4a13-98fd-4e06ecd922cf", "name": "Suspicious Outlook Child Process", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious child processes of Microsoft Outlook. These child processes are often associated with spearphishing activity.", "attack": ["initial-access - Phishing (T1566)", "execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f7ee64d4-ac0b-46f8-9bbd-5325bd03ae72", "name": "Spoolsv Wrong Parent", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects if the Spoolsv process was executed by a non-legitimate parent process. Printer Spooler Service (Spoolsv) process is responsible for managing spooled print/fax jobs.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "2eb4eeda-8653-11eb-8dcd-0242ac130003", "name": "DNS Exfiltration and Tunneling Tools Execution", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "PowerShell logs"], "description": "Well-known DNS exfiltration tools execution", "attack": ["exfiltration - Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)", "command-and-control - DNS (T1071.004)", "command-and-control - Standard Encoding (T1132.001)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "ac3097a8-3f3e-478c-90ff-75c1457c2fdc", "name": "Suspicious Finger Usage", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. An attacker can use finger to silently retrieve a command, a script or a payload from a remote server. For example, the tool Darkfinger-C2 uses this technique to download files from the C2 channel.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "e4b93e01-4831-4e27-b4b7-f4a8b5b74d8b", "name": "Anomaly Bruteforce Disabled Users", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high number of TGT failed or NTLM authent failed associate to error code account disabled who could indicate a brute force attack", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "276efd99-3e10-402f-8024-abf6d9ce346f", "name": "Python HTTP Server", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "PowerShell logs"], "description": "Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "af70a0e0-6339-49ef-951f-34c4c9e2038c", "name": "User Account Deleted", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects local user deletion", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "2318a458-042b-4b08-af33-67b0abc735b4", "name": "Network Share Discovery", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. This technique is frequently leveraged by threat actors such as APT32, APT41, Wizard Spider. But also, through the use of some malware such as Cobalt Strike, Empire, PlugX and Ramsay.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "a96ea8b7-9296-41a8-9396-889cc5a96078", "name": "PowerShell Execution Via Rundll32", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll Rule modified", "attack": ["execution - Rundll32 (T1085)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "a866c7af-8e60-4417-b06c-da1b8ab1c973", "name": "Venom Multi-hop Proxy agent detection", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects Venom Multi-hop Proxy agent.", "attack": ["execution - Network Device CLI (T1059.008)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "c2243064-6b26-465c-ab79-c167c0eaafa4", "name": "Pandemic Windows Implant", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Windows Registry", "Windows event logs"], "description": "Detects Pandemic Windows Implant through registry keys or specific command lines. Prerequisites: Logging for Registry events is needed, which can be done in the Sysmon configuration (events 12 and 13).", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e7afc80b-8b35-4967-b213-554117c46edf", "name": "Searchprotocolhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Search Protocol Host process was executed by a non-legitimate parent process. Search Protocol Host is part of the Windows Indexing Service, a service indexing files on the local drive making them easier to search.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5e5ed096-880a-47c9-ab51-d5f94b5f3a44", "name": "Microsoft Office Spawning Script", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects Microsoft Office process (word, excel, powerpoint) spawning wscript.exe or cscript.exe. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware. ", "attack": ["execution - Visual Basic (T1059.005)", "execution - Malicious File (T1204.002)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "afd2f25a-f332-42a8-9cdb-d6f74545cfe2", "name": "VSCode Tunnel Shell Exec", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Using VSCode and its remote tunnel access feature to run a terminal and execute commands. This could be a legit use, but also has been observed being used by some attackers.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "df5d520f-35ea-4735-b44a-bdce7f18fe9f", "name": "Remote Privileged Group Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects remote listing of local privileged group. Potential false positives, which should justify alert filters, are service accounts and administrators doing maintenance.", "attack": ["discovery - Local Account (T1087.001)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e3fe6d7d-7609-4641-9c52-62ccf578d35a", "name": "Msdt (Follina) File Browse Process Execution", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects various Follina vulnerability exploitation techniques. This is based on the Compatability Troubleshooter which is abused to do code execution.", "attack": ["execution - Exploitation for Client Execution (T1203)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "562b389a-1eff-4353-be6b-cd0b3897dcc2", "name": "Leviathan Registry Key Activity", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "262044e8-0b54-4ff9-b14b-1ae5e83f69ea", "name": "Component Object Model Hijacking", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects component object model hijacking. An attacker can establish persistence with COM objects.", "attack": ["persistence - Component Object Model Hijacking (T1546.015)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "72a32869-3146-4051-a3a5-3b35bba6d12e", "name": "Lsass Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This rule checks if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "28636b47-a914-43d1-ba6c-e77e656633d1", "name": "Antivirus Relevant File Paths Alerts", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This is only based on Windows Defender events.", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Elastic Winlogbeat", "Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "9627d3c9-e0cb-44de-877e-0eece88632f1", "name": "Searchprotocolhost Child Found", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "SearchProtocolHost.exe is part of the Windows Indexing Service, an application that indexes files from the local drive making them easier to search. This is a crucial part of the Windows operating system. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "752b27bb-70d7-4f9c-82ab-6b10f8fcd164", "name": "User Couldn't Call A Privileged Service LsaRegisterLogonProcess", "effort": "master", "data_sources": ["Windows event logs"], "description": "The LsaRegisterLogonProcess function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. This rule requires to log the Event ID 4673, which can be done by updating the Audit Policy.", "attack": ["credential-access - Kerberoasting (T1558.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c5da12e5-a97d-4ac6-9821-d49126e562c7", "name": "Powershell Suspicious Startup Shortcut Persistence", "effort": "master", "data_sources": ["Process monitoring", "File monitoring"], "description": "Detects Powershell writing Startup shortcuts for persistence.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["SentinelOne EDR", "Elastic Winlogbeat", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "0f6133f4-7b86-45e3-8b64-6f3402090a82", "name": "AzureEdge in Command Line", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of azureedge in the command line.", "attack": ["discovery - Cloud Service Discovery (T1526)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "f86b933e-e640-405b-856d-12c86f007ce3", "name": "Stop Backup Services", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs", "Windows Registry"], "description": "Detects adversaries attempts to stop backups services or disable Windows previous files versions feature. This could be related to ransomware operators or legit administrators. This rule relies Windows command line logging and registry logging, and PowerShell (ID 4103, 4104).", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "22c4d903-79f0-409a-bd34-9b3ae89b303c", "name": "Cmdkey Cached Credentials Recon", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects usage of cmdkey to look for cached credentials.", "attack": ["credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "86c75fa1-1088-4476-b773-a4e289dcb703", "name": "Suspicious ADSI-Cache Usage By Unknown Tool", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. It needs file monitoring capabilities (Sysmon Event ID 11 with .sch file creation logging).", "attack": ["command-and-control - Protocol or Service Impersonation (T1001.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Tanium", "WithSecure Elements", "Kaspersky Endpoint Security", "Palo Alto Cortex XDR (EDR)", "Windows", "SentinelOne EDR", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "TEHTRIS EDR", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "175e2a58-096a-4b25-891f-5fbe7848ae8f", "name": "Microsoft Defender Antivirus Restoration Abuse", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5c5c61cc-3af7-4aec-b6de-cb8598319107", "name": "Load Of dbghelp/dbgcore DLL From Suspicious Process", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Many tools import dbghelp.dll and / or dbgcore.dll to use the MiniDumpWriteDump function. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Dumpert from OUTFLANK also uses this.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Windows", "HarfangLab EDR", "SentinelOne Cloud Funnel 2.0"]}, {"uuid": "707f4ef4-cacb-4c6f-4fea-13c7e3d17741", "name": "Impacket Addcomputer", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects suspicious computer account creation based on impacket default pattern", "attack": ["persistence - Domain Account (T1136.002)"], "intake-formats": ["OCSF", "BeyondTrust Privileged Remote Access Session", "WithSecure Elements", "Windows Log Insight", "Sophos Analysis Threat Center", "CyberArk Audit Logs", "Microsoft 365 / Office 365", "BeyondTrust PRA Team [BETA]", "RSA SecurID", "Windows", "Cisco IOS router and switch", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "492f8443-7229-457d-a233-75a53d9f1842", "name": "Suspicious Regsvr32 Execution", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious regsvr32.exe executions, either regsvr32 registering a DLL in an unusual repository (temp/, appdata/ or public/), or regsvr32 executed by an unusual parent process, or regsvr32 executing an unusual process, or regsvr32 registering a media file and not a DLL (as seen in IcedID campaigns), or regsvr32 registering a ocx file in appdata/.", "attack": ["stealth - Regsvr32 (T1218.010)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "52007eaf-87fc-449d-b1ee-89c1595b066f", "name": "Rclone Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Rclone executable or Rclone execution by using the process name, the execution through a command obfuscated or not.", "attack": ["exfiltration - Exfiltration to Cloud Storage (T1567.002)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "3a14260c-abd2-4ada-a673-776935ebb441", "name": "MMC20 Lateral Movement", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe.", "attack": ["lateral-movement - Distributed Component Object Model (T1021.003)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "39e2409d-28c4-424c-b80f-b0a408542210", "name": "Mimikatz LSASS Memory Access", "effort": "advanced", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detection of in-memory Mimikatz by focusing on processes opening the Local Security Authority (Lsass.exe) process and reading the memory contents of it. This probably means that Mimikatz has been executed on the host, meaning the attacker already has high privileges and is looking to dump credentials, most likely for lateral movement or privilege escalation purposes. The rule requires Sysmon EventID 10 to work as it is based on the GrantedAccess mask.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "a6eb4621-1fd3-4e25-a4c7-dcf4e0118a7a", "name": "Protected Storage Service Access", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects access to a protected_storage service over the network. It could identify potential abuse of DPAPI to extract domain backup keys from Domain Controllers.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "f4f5142a-a3bd-4fa9-914d-64eef43ebcf6", "name": "Correlation Suspicious Authentication Coercer Behavior", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detect a possible NTLM Relay attack combine with authent coerce", "attack": ["credential-access - Forced Authentication (T1187)", "collection - Adversary-in-the-Middle (T1557)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "7f290c99-7cb3-49a4-9437-40d047a3c32c", "name": "SolarWinds Wrong Child Process", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects SolarWinds process starting an unusual child process. Process solarwinds.businesslayerhost.exe and solarwinds.businesslayerhostx64.exe created an unexepected child process which doesn't correspond to the legitimate ones.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["ESET Protect", "Crowdstrike Falcon Telemetry", "OCSF", "Tanium", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Stormshield SES", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Elastic Winlogbeat"]}, {"uuid": "1646131c-a984-433f-94fa-208eda41164c", "name": "WCE wceaux.dll Creation", "effort": "intermediate", "data_sources": ["Windows event logs", "File monitoring"], "description": "Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Cloudflare Gateway HTTP", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Google Workspace / ChromeOS", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Fortinet FortiProxy", "Tanium", "WithSecure Elements", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Mimecast Email Security", "SonicWall Firewall", "Palo Alto NGFW", "Broadcom Siteminder", "Proofpoint PoD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiMail", "Fortinet FortiGate", "ManageEngine ADAudit Plus", "Trellix Advanced Threat Defense", "Cato Networks SASE", "Cisco Secure Firewall", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "BeyondTrust PRA Team [BETA]", "Palo Alto Prisma access", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5afb625c-c0ac-40b2-8cd5-b812796bb416", "name": "Windows Sandbox Start", "effort": "master", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detection of Windows Sandbox started from the command line with a config file or interactively using a WSB file.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "db286a17-759d-4a98-9765-b6606212980f", "name": "Malicious Named Pipe", "effort": "intermediate", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects the creation of a named pipe used by known malware. Prerequisites are logging for PipeEvents in Sysmon config (Event ID 17 and 18).", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f10d26f4-594e-4833-98f0-82e23440bcf4", "name": "Commonly Used Commands To Stop Services And Remove Backups", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific commands used regularly by ransomwares to stop services or remove backups", "attack": ["impact - Service Stop (T1489)", "impact - Inhibit System Recovery (T1490)", "impact - Data Destruction (T1485)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "85b05716-b586-463a-b460-48557a2f2c11", "name": "Schtasks Persistence With High Privileges", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detection of scheduled task with high privileges used by attacker for persistence.", "attack": ["privilege-escalation - At (T1053.002)", "privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "a6bfcc15-894a-4b71-b74c-166f9da6b9b8", "name": "User Added to Local Administrators", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects when user accounts are added which could be legitimate activity or a sign of privilege escalation activity, Potential False-Positives Legitimate administrative activity WinRM clients", "attack": ["initial-access - Valid Accounts (T1078)", "privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "d45a3a30-7ac0-4cfe-b3d8-a685c0bdd61f", "name": "UAC Bypass Using Fodhelper", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects UAC bypass method using Fodhelper after setting the proper registry key, used in particular by Agent Tesla (RAT) or more recently by Earth Luscas. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "1c847dec-7c13-46f6-a89d-2ad9fef50ee5", "name": "Remote Monitoring and Management Software - Atera", "effort": "master", "data_sources": ["Process monitoring", "Network protocol analysis", "Services", "Windows Registry", "File monitoring"], "description": "Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Broadcom Cloud Secure Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Unbound", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Delinea PRA", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "Windows Log Insight", "AWS WAF", "AWS CloudFront", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "OCSF", "Claroty xDome", "Daspren Parad", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "Google Kubernetes Engine", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "IBM iSeries", "Elastic AuditBeat Linux", "Sophos EDR", "Cloudflare WAF events", "PingFederate", "Stormshield SES", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Windows", "NucleonEDR", "CyberArk Audit Logs", "Squid", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "F5 NGINX", "WALLIX Bastion", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "8e1414e4-4133-4a49-867b-a8e513f737c7", "name": "Capture a network trace with netsh.exe", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects capture a network trace via netsh.exe trace functionality", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "c4613798-aad5-40ea-81eb-31a10397dda3", "name": "Microsoft Exchange Server Creating Unusual Files", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs", "Process monitoring"], "description": "Look for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cisco NX-OS", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Thinkst Canary", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "CEF", "SentinelOne EDR", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Postfix", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "e82cf899-c793-4e70-97c4-2624dfaccca6", "name": "Phorpiex Process Masquerading", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Google Kubernetes Engine", "Daspren Parad", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Systancia Cleanroom", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d0e46c8a-7e0b-4955-95b5-0e11c0ae6d3e", "name": "Disable Workstation Lock", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Registry change in order to disable the ability to lock the computer by using CTRL+ALT+DELETE or CTRL+L. This registry key does not exist by default. Its creation is suspicious and the value set to \"1\" means an activation. It has been used by FatalRAT, but other attacker/malware could probably use it. This rule needs Windows Registry changes (add,modification,deletion) logging which can be done through Sysmon Event IDs 12,13,14.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "aab3bd39-a96a-429d-aa17-58217b87066a", "name": "PowerShell Suspicious Context Changes", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects some PowerShell context changes that could be used to create an interactive shell and bypass some security measures in terms of logging and execution.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "ebc80f73-7a29-45a9-bb7c-aa446a97d9e5", "name": "Suspicious Windows DNS Queries", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects a suspicious Windows command-line process making a DNS query via known abuse text paste web services. This is based on Microsoft Windows Sysmon events (Event ID 22).", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cisco NX-OS", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Barracuda CloudGen Firewall", "OCSF", "Tanium", "Thinkst Canary", "Sophos Analysis Threat Center", "Juniper NGFW", "SonicWall Firewall", "Trend Micro Apex One / Vision One endpoint", "CEF", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Postfix", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "24404a1b-5a8e-47be-8b40-1f371261ccb0", "name": "Network Connection Via Certutil", "effort": "intermediate", "data_sources": ["Process monitoring", "Process use of network", "Windows event logs"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "bdd8fab7-7f9a-407a-96c7-9c6927dc1f6c", "name": "Openfiles Usage", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects when the command openfiles, to get information on files opened remotely, is used.", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "d6e348c9-35d2-42a5-8a27-2085518a10c8", "name": "Suspicious Desktopimgdownldr Execution", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects a suspicious Desktopimgdownldr execution. Desktopimgdownldr.exe is a Windows binary used to configure lockscreen/desktop image and can be abused to download malicious file.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)", "persistence - Modify Registry (T1112)", "stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "90f75d53-9660-4d0b-aaa9-bb8d25faf9f1", "name": "Copying Sensitive Files With Credential Data", "effort": "elementary", "data_sources": ["File monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects copy of files with well-known filenames (sensitive files with credential data) using esentutl. This requires Windows Security event log with the Detailed File Share logging policy enabled.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "49233d45-8c88-4679-86c3-d59b48f78eaf", "name": "SCM Database Handle Failure", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects non-system users failing to get a handle of the SCM database.", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2eaa25ee-7416-4796-a4bf-11c58dc31350", "name": "Exchange Mailbox Export", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detection of a standard Exchange Mailbox export, which stores all mails from a user in a pst file, from command line or PowerShell script.", "attack": ["collection - Local Email Collection (T1114.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "dd415468-8376-4da8-aabc-8ad565971e46", "name": "Trickbot Malware Activity", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "DLL monitoring", "Loaded DLLs"], "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe.", "attack": ["discovery - Domain Trust Discovery (T1482)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "cacedc72-15e4-4168-a0d5-c5b47f8fe814", "name": "Scheduled Task Creation By Non Privileged User", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects scheduled task creation, either executed by a non-system user or a user who is not administrator (the user ID is not S-1-5-18 or S-1-5-18-*). This detection rule doesn't match Sysmon EventID 1 because the user SID is always set to S-1-5-18. ", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["IBM AIX", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "RSA SecurID", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "WALLIX Bastion", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "3500f23e-d07a-4ad7-ab23-97f5f5c9f17b", "name": "Antivirus Password Dumper Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports a password dumper. This detection relies on Windows Defender events logs. This is based on Windows Defender logs (Event ID 1116 and 1117).", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "ea94fb29-73ed-4ba4-afbb-e96af771e96b", "name": "Adexplorer Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.", "attack": ["credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "81d924d0-c96f-4fa3-b7a1-4e9d5098a668", "name": "Formbook Hijacked Process Command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects process hijacked by Formbook malware which executes specific commands to delete the dropper or copy browser credentials to the database before sending them to the C2.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Crowdstrike Falcon Telemetry", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Stormshield SES", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat"]}, {"uuid": "526e0767-2259-455d-a665-84a19a8b3740", "name": "Mshta JavaScript Execution", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument.", "attack": ["stealth - Mshta (T1218.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "717a1142-eeab-4118-98dd-20ed96534247", "name": "FromBase64String Command Line", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects suspicious FromBase64String expressions in command line arguments.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "762653fa-aa40-418d-8e33-c1c5b4ef92ee", "name": "DHCP Callout DLL Installation", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required).", "attack": ["execution - DLL Side-Loading (T1574.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8332984c-db1d-4464-bb9d-a7a501c830e4", "name": "COM Hijack Via Sdclt", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute', to bypass UAC using 'sdclt.exe'.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "86b0e54e-060f-4b0f-b428-d4fce3d30f34", "name": "Audit CVE Event", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects events generated by Windows to indicate the exploitation of a known vulnerability.", "attack": ["execution - Exploitation for Client Execution (T1203)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)", "stealth - Exploitation for Stealth (T1211)", "credential-access - Exploitation for Credential Access (T1212)", "lateral-movement - Exploitation of Remote Services (T1210)", "impact - Application or System Exploitation (T1499.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c8809a00-b1b1-4ff3-bf15-7fceb1790370", "name": "System Network Connections Discovery", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects system network connections discovery via powershell and cmd.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "14bb5424-8720-11eb-8dcd-0242ac130003", "name": "Exfiltration And Tunneling Tools Execution", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Execution of well known tools for data exfiltration and tunneling", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)", "command-and-control - Protocol Tunneling (T1572)", "command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "7a0c45d8-0abf-4e1a-8ead-ab140617ef82", "name": "PowerShell Malicious Nishang PowerShell Commandlets", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Commandlet names and arguments from the Nishang exploitation framework.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "4bda48a7-2890-4af0-95b7-a429904bfe13", "name": "Password Dumper Activity On LSASS", "effort": "intermediate", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "49bd18a6-a90f-4f34-9a7b-fab9e26fed68", "name": "Audio Capture via PowerShell", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "PowerShell logs"], "description": "Detects audio capture via PowerShell Cmdlet", "attack": ["collection - Audio Capture (T1123)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b51527e0-ab3a-49ea-8191-f704033a823a", "name": "Meterpreter or Cobalt Strike Getsystem Service Installation", "effort": "elementary", "data_sources": ["DLL monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting some of the techniques being used (technique 1,2 and 5).", "attack": ["privilege-escalation - Token Impersonation/Theft (T1134.001)", "privilege-escalation - Create Process with Token (T1134.002)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "0763de72-1a2a-4962-b2c1-f189abd4bfbe", "name": "Explorer Process Executing HTA File", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam.", "attack": ["execution - Malicious File (T1204.002)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "8f3d3377-e095-497b-9e6e-ccd6c9a20a90", "name": "Suspicious XOR Encoded PowerShell Command Line", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation  method to b64 encoded commands.", "attack": ["execution - PowerShell (T1059.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "stealth - Obfuscated Files or Information (T1027)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "ed05a92f-8400-4132-821b-411ab5dd2cb0", "name": "Admin Share Access", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects access to $ADMIN share. The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure. Also be very cautious to previously check if this is not commonly used by your administrators as to remotely manage your computers.", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "fda5c184-37a1-4ed8-9f7a-cbd29b5cc5df", "name": "Correlation Internal Ntlm Password Spraying", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect multiple NTLM authentication failed on several account from one source", "attack": ["credential-access - Password Spraying (T1110.003)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "9d8b21d6-76ca-48b7-b37a-54ad6f68489b", "name": "HTML Smuggling Suspicious Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring", "File monitoring"], "description": "Based on several samples from different botnets, this rule aims at detecting HTML infection chain by looking for HTML created files followed by suspicious files being executed.", "attack": ["persistence - Event Triggered Execution (T1546)", "privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "IBM iSeries", "WALLIX Bastion", "SonicWall Firewall", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "Zscaler Internet Access", "SentinelOne EDR", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "IBM AIX", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "33f170fc-358a-4364-a155-5470921f6d6b", "name": "Default Encoding To UTF-8 PowerShell", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "fd8af1a5-1abd-4a87-95d5-8c29511a50ab", "name": "PsExec Process", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. ", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "VMware ESXi", "Windows Log Insight", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "2321039f-6772-4126-bd8f-17e8f5f0adec", "name": "Phosphorus Domain Controller Discovery", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "PowerShell logs"], "description": "According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about the Domain Controller. The command is the following: \"powershell.exe\" /c Get-WMIObject Win32_NTDomain | findstr DomainController", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "3b9aaf19-9776-4ee2-9311-c38cc12233af", "name": "Cmd.exe Used To Run Reconnaissance Commands", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process use of network", "Windows event logs"], "description": "Detects command lines with suspicious args", "attack": ["discovery - System Network Connections Discovery (T1049)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "1b3a2111-47e2-4fa7-bd7f-b92c5de1e58f", "name": "High Privileges Network Share Removal", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects high privileges shares being deleted with the net share command.", "attack": ["stealth - Network Share Connection Removal (T1070.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "ed5546ae-8663-11eb-8dcd-0242ac130003", "name": "Data Compressed With Rar", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "789edb8a-8722-11eb-8dcd-0242ac130003", "name": "Exploit For CVE-2017-0261 Or CVE-2017-0262", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 through command line or PowerShell script. This is a very basic detection method relying on the rare usage of EPS files from Winword.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["ESET Protect", "Crowdstrike Falcon Telemetry", "OCSF", "Tanium", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Stormshield SES", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat"]}, {"uuid": "106dbe22-de30-4d04-9df1-ee31f8dd6dd3", "name": "Alternate PowerShell Hosts Pipe", "effort": "advanced", "data_sources": ["PowerShell logs", "Process monitoring", "Windows event logs", "Named Pipes"], "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe. Prerequisites are logging for PipeEvents in Sysmon config.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c1a4626c-461e-4c4f-91cd-1d24b5350e75", "name": "Sysprep On AppData Folder", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious Sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec). Sysprep is a Windows tool used to change Windows images from a generalized state to a specialized state, and then back to a generalized state. It can be used to remove all system-specific information and reset the computer.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "2ed7c9d1-9cf7-4107-9621-eec2f3cc79a9", "name": "PowerShell Commands Invocation", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "72a1e356-f797-42eb-9ba6-da8efbe3c903", "name": "OceanLotus Registry Activity", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects registry keys created in OceanLotus (also known as APT32) attack. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "af6a3529-3482-4583-9fa7-0b74d899c959", "name": "Clear EventLogs Through CommandLine", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces.", "attack": ["stealth - Indicator Removal (T1070)", "stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b0d3527c-a745-11eb-b949-f0d5bf514442", "name": "Potential RDP Connection To Non-Domain Host", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects logons using NTLM to hosts that are potentially not part of the domain using RDP (TermSrv). Event ID 8001 corresponds to outgoing NTLM authentication traffic and TermSrv stands for RDP Terminal Services Server. Check if the contacted host is legitimate. To use this detection rule, enable logging of outbound NTLM authentications on all domain controllers, using the following Group Policy (GPO) - Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Define this policy setting: Audit all.", "attack": ["lateral-movement - Pass the Hash (T1550.002)"], "intake-formats": ["Palo Alto NGFW", "AWS CloudTrail", "WithSecure Elements", "Azure Network Watcher [DEPRECATED]", "Palo Alto Prisma access", "Windows", "Fortinet FortiGate", "F5 BIG-IP", "Azure Windows", "Elastic Winlogbeat", "Sekoia.io Endpoint Agent"]}, {"uuid": "5a6e479e-f2f0-45bb-8112-9b9e1417a72c", "name": "RDP Port Change Using Powershell", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects RDP port configuration change using a PowerShell command such as 'Set-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" -Name PortNumber -Value XXX Restart-Service termservice -force'. Threat actors can change RDP to another port to bypass protections, avoid detection based on the port, or to take full control of the system. ", "attack": ["persistence - Modify Registry (T1112)", "command-and-control - Non-Standard Port (T1571)", "lateral-movement - Remote Desktop Protocol (T1021.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "0d95b214-5259-4975-94e5-5fc8575c8321", "name": "Microsoft Defender Antivirus Configuration Changed", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects when an feature configuration change is made to Microsoft Windows Defender (enabling or disabling real-time protection, etc.)", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "77b352ba-69c7-4351-8572-405015936fd1", "name": "Wsmprovhost Wrong Parent", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects if the Wsmprovhost process was executed by a non-legitimate parent process. The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM).", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "6b5bdbfa-2c94-4c26-aa61-b748054b8399", "name": "LSASS Memory Dump File Creation", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "19628af2-d55d-4b46-a405-0fcdc28bcced", "name": "Suspicious Driver Loaded", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Checks the registry key for suspicious driver names that are vulnerable most of the time and loaded in a specific location by the KDU tool from hfiref0x. Some drivers are used by several SysInternals tools, which should have been whitelisted in the filter condition. The driver named \"DBUtilDrv2\" has been removed as it caused too many false positives unfortunately. It can be added under \"drv_name\" if more coverage is wanted. This rule needs registry key monitoring (can be done with Sysmon Event IDs 12,13 and 14).", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "83ec9281-3078-409c-9905-ab9165495b9f", "name": "Backup Catalog Deleted", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "The rule detects when the Backup Catalog has been deleted. It means the administrators will not be able to access any backups that were created earlier to perform recoveries. This is often being done using the wbadmin.exe tool.", "attack": ["impact - Data Destruction (T1485)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "d1730225-97cd-414a-8538-92986d07bfa2", "name": "Windows Firewall Changes", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects changes on Windows Firewall configuration", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a4caed33-d86a-496c-8d97-a8fc87486502", "name": "Microsoft Defender Antivirus Tampering Detected", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detection of Windows Defender Tampering, from definitions' deletion to deactivation of parts or all of Defender.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Indicator Removal (T1070)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "299e7e60-205f-4de6-a6b6-43de66177878", "name": "Sigma Intelligence ErrTraffic PowerShell Command Line", "effort": "elementary", "data_sources": ["PowerShell logs"], "description": "Detects powershell script executed via ErrTraffic infection chain", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "4bf49bb8-3d53-4580-ad21-ad09aece217c", "name": "Anomaly New PowerShell Remote Session", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when PowerShell remote sessions are created in a short amount of time.", "attack": ["initial-access - External Remote Services (T1133)"], "intake-formats": []}, {"uuid": "ef5a9c6a-bdd6-4dbe-8c99-d628e9db22a3", "name": "DHCP Server Loaded the CallOut DLL", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded. This would indicate a succesful attack against DHCP service allowing to disrupt the service or alter the integrity of the responses.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "67722502-8721-11eb-8dcd-0242ac130003", "name": "Exploit For CVE-2015-1641", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects Winword process starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", "attack": ["execution - Exploitation for Client Execution (T1203)", "execution - Malicious File (T1204.002)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e030b7df-fb87-4a71-bf83-71c7d72ca76b", "name": "Suspicious Network Args In Command Line", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection on some commonly observed suspicious processes command lines using HTTP schema with port 443.", "attack": ["command-and-control - Non-Standard Port (T1571)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "204ba402-4d69-49c0-aa8e-38988a93e882", "name": "Elise Backdoor", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects Elise backdoor activity as used by Lotus Blossom", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "75b9eae4-e974-40a2-92d4-3b2388d05404", "name": "SAM Registry Hive Handle Request", "effort": "advanced", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects handles requested to SAM registry hive", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "47447d4a-6b1b-415a-a01c-fb45b160d515", "name": "UAC Bypass Via Sdclt", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects changes to HKCU\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand by an attacker in order to bypass User Account Control (UAC)", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "9ab7df82-9116-4899-913d-0af602aa1085", "name": "LanManServer Registry Modify", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when the LanManServer registry sub-key MaxMpxCt is modified. An attacker can modified this value to increase the maximum number of outstanding client requests supported. ", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5e44c927-352d-4801-a375-81d959f20a52", "name": "Suspicious Headless Web Browser Execution To Download File", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer.", "attack": ["discovery - System Network Configuration Discovery (T1016)", "discovery - System Information Discovery (T1082)", "command-and-control - Ingress Tool Transfer (T1105)", "stealth - Hidden Window (T1564.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "00db53fd-dbb2-4a4d-affb-2e76600a833b", "name": "Svchost Modification", "effort": "advanced", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects the modification of svchost in the registry.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "6797e888-619a-4d22-98c4-ee2129a04630", "name": "RedMimicry Winnti Playbook Dropped File", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects actions caused by the RedMimicry Winnti playbook", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e6301dd8-a196-472a-b0c6-474f719a2828", "name": "Winrshost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Winrshosts process was executed by a non-legitimate parent process The winrshost.exe is a Host Process for WinRM's Remote Shell plugin.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "ccfe820b-29ef-4d7b-8b83-c4cf69ce44da", "name": "PowerShell Malicious PowerShell Commandlets", "effort": "master", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks (PowerSploit...).", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "f394122b-8340-42ad-9631-4d04fee9c876", "name": "NetNTLM Downgrade Attack", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs", "Windows Registry"], "description": "Detects changes in Windows Registry key (LMCompatibilityLevel, NTLMMinClientSec or RestrictSendingNTLMTraffic) which can lead to NetNTLM downgrade attack. The rule requires to log registry keys creation or update, it can be done using Sysmon's Event ID 12,13 and 14.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "persistence - Modify Registry (T1112)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5cf28b01-adeb-4468-936c-28494f8ec5aa", "name": "New Or Renamed User Account With '$' In Attribute 'SamAccountName'", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "cbba591a-7dea-4f7b-a7f3-b5056906e99b", "name": "Web Application Launching Shell", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when a web application launches a shell.", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bb1733db-3eda-4f00-bd13-e6ae600215ce", "name": "Malicious PowerShell Keywords", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects keywords from well-known PowerShell exploitation frameworks", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "1ac03946-f9fa-490c-ab23-88b4514e733c", "name": "Eventlog Cleared", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Some threat groups tend to delete local EventLogs (Security being the most common one to be deleted) using certain utilities. The EventID 517 is old and 1102 should be used for this instead on newer Windows versions.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["Elastic Winlogbeat", "Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "a0befae8-e0f4-4b71-ae10-8265daf21126", "name": "Account Tampering - Suspicious Failed Logon Reasons", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. Depending on the network environment some failed logons Status can be added to the list.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "a5eb473a-6005-4976-9d62-2995f85daa12", "name": "MalwareBytes Uninstallation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects command line being used by attackers to uninstall Malwarebytes.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d670eb5b-2d94-4407-a677-cbda8efbd5da", "name": "Active Directory Replication from Non Machine Account", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. It requires a configuration step where the legit service account should be added to the exclusion list.", "attack": ["credential-access - DCSync (T1003.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "95028c6e-b513-46a7-b758-1f8c1d65f5f8", "name": "Registry Checked For Lanmanserver DisableCompression Parameter", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects registry access for Lanmanserver\\Parameters. The check of the value DisableCompression could be a sign of an attack trying to exploit SMBGhost vulnerability (CVE-2020-0796).", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "43fab0ee-f33c-4816-a8d8-97cf6687682c", "name": "Remote Task Creation Via ATSVC Named Pipe", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects remote task creation via at.exe or API interacting with ATSVC Named Pipe. This requires Windows Security event logging with the File Share policy.", "attack": ["privilege-escalation - At (T1053.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "c345b95e-b9f4-4192-8c6b-703cc86935e7", "name": "Blue Mockingbird Malware", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Attempts to detect system changes made by Blue Mockingbird", "attack": ["persistence - Modify Registry (T1112)", "execution - Windows Management Instrumentation (T1047)", "privilege-escalation - At (T1053.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d29bcb40-cba9-42c3-b9cb-a4798bb1331e", "name": "Cobalt Strike Default Service Creation Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects Cobalt Strike usage from an existing beacon when attacker tries to elevate or move laterally through a service creation.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b344066e-8710-11eb-8dcd-0242ac130003", "name": "ETW Tampering", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion", "attack": ["stealth - Indicator Removal (T1070)", "stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "3d446ca3-0f22-4386-a9fd-4f4c6a0b6e08", "name": "IcedID Execution Using Excel", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects Excel spawning a process (rundll32 or wmic) running suspicious command-line. This behaviour could correspond to IcedID activity. ", "attack": ["execution - Malicious File (T1204.002)", "persistence - Office Template Macros (T1137.001)", "stealth - Regsvr32 (T1218.010)", "stealth - Rundll32 (T1218.011)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e1775f36-13d0-4cd9-a62a-cfbf11bfa397", "name": "Empire Monkey Activity", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects EmpireMonkey APT reported Activity", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5056938a-e4e4-48a1-9e87-cab615953eff", "name": "Active Directory User Backdoors", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs"], "description": "Detects scenarios where the attacker controls another user or computer account without having to use their credentials.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bf922381-c7ae-43a0-b92f-4e9a72b0b5f3", "name": "STRRAT Scheduled Task", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr \"C:\\Users\\Admin\\AppData\\Roaming\\SAMPLENAME.jar\"'", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f597a828-2c6a-4452-9e24-0ce7cd31fb81", "name": "Registry Key Used By Some Old Agent Tesla Samples", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects potential use of the RUN registry key to execute some Agent Tesla samples at boot. Prerequisites are to log for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "9b9c64f9-13b7-49ca-bf25-aebd1f980d80", "name": "Microsoft Office Startup Add-In", "effort": "elementary", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). The rule requires File Creation logging to work, which can be done using Sysmon Event ID 11.", "attack": ["persistence - Add-ins (T1137.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e8656dd6-c264-4135-a10f-c3dba4a9f8de", "name": "Malware Outbreak", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus", "File monitoring"], "description": "Spots a peak of malware detection by windows defender on this perimeter.", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": []}, {"uuid": "64d8b597-7033-4c85-b6aa-6f7c91f93be2", "name": "Suspicious PROCEXP152.sys File Created In Tmp", "effort": "advanced", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "NeroSwarm Honeypot", "BeyondTrust Privileged Remote Access Session", "Cloudflare Gateway HTTP", "Netskope", "ESET Protect", "Trellix Network Security", "Broadcom/Symantec Endpoint Security", "CyberArk Audit Logs", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Fortinet FortiProxy", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "VMware vCenter", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Mimecast Email Security", "SonicWall Firewall", "Palo Alto NGFW", "Broadcom Siteminder", "Sophos EDR", "Stormshield SES", "Proofpoint PoD", "Trend Micro Apex One / Vision One endpoint", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiMail", "Fortinet FortiGate", "ManageEngine ADAudit Plus", "Trellix Advanced Threat Defense", "Cato Networks SASE", "Cisco Secure Firewall", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "BeyondTrust PRA Team [BETA]", "Palo Alto Prisma access", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "c7fc2046-a3cc-4811-b7e5-6f1fb0c4d680", "name": "Debugging Software Deactivation", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "PowerShell logs", "Windows event logs"], "description": "Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6c9e73ab-cf3a-4e53-839d-1beed91d492c", "name": "Ntfsinfo Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters"], "description": "Detects when the command ntfsinfo is used. An attacker can access to information on the volume from NTFS and have a directory dump of NTFS files.", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "e6b63976-14da-44bc-88f4-b89a656306ac", "name": "XCopy Suspicious Usage", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed.", "attack": ["credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6b5e37d7-d596-47b9-990a-fa8ea86f09d5", "name": "Successful Overpass The Hash Attempt", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "attack": ["lateral-movement - Pass the Hash (T1550.002)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "940fb679-26c6-44f2-898e-240a2d8f98e9", "name": "AD Privileged Users Or Groups Reconnaissance", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect privileged users or groups reconnaissance based on 4661 Event ID and known privileged users or groups SIDs. If the user account name is not a known admin it is suspicious.", "attack": ["discovery - Account Discovery (T1087)", "discovery - Domain Account (T1087.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "eba9c01a-b88f-47af-b642-0a46fc849e4e", "name": "FlowCloud Malware", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects FlowCloud malware from threat group TA410. This requires Windows Event registry logging.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d26e23cb-cf9b-4791-aefc-dff3d3dd5745", "name": "Suspicious Windows ANONYMOUS LOGON Local Account Created", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as a covering detection for attackers trying to created an ANONYMOUS LOGON account as it is an account named used in internal Windows events and frequently filtered by attackers.", "attack": ["persistence - Local Account (T1136.001)", "persistence - Domain Account (T1136.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2ace2370-55e3-4011-b7d5-06dbeae79ef6", "name": "Credentials Extraction", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "This rule aims to detect the use of a specific command to access some credentials without using mimikatz or another tool.", "attack": ["credential-access - Unsecured Credentials (T1552)", "credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Forcepoint Next-Generation Firewall", "Juniper NGFW", "Windows", "Elastic AuditBeat Linux", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "207d601b-0e68-4326-9150-0da6a23d9038", "name": "Windows Defender Logging Modification Via Registry", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when the logging for defender is disabled in the registry.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "46748666-f104-4e5a-baeb-b4ae66216d57", "name": "Credential Dumping By LaZagne", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects LSASS process access by LaZagne for credential dumping. ", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "49723ee1-5b07-4d70-b044-c215a1378e64", "name": "Elevated Shell Launched By Browser", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when openwith.exe is launched with privileges followed by a browser launching an elevated shell. Related to the CVE-2024-38014.", "attack": ["execution - Hijack Execution Flow (T1574)", "resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["ESET Protect", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Cybereason EDR activity", "VMware vCenter", "Juniper NGFW", "SonicWall Firewall", "Stormshield SES", "SentinelOne EDR", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "990ed23b-d598-45ae-8b43-156538ee9d1c", "name": "Microsoft Office Creating Suspicious File", "effort": "master", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.", "attack": ["execution - Malicious File (T1204.002)", "execution - Command and Scripting Interpreter (T1059)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Cisco NX-OS", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "CEF", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "563c7c7a-4c54-44de-a081-8cf99c1d2103", "name": "Microsoft Defender Antivirus Disable Scheduled Tasks", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender scheduled tasks via command line or PowerShell scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "80c85cbc-676f-472f-93a8-8c9fdce571e5", "name": "NTDS.dit File In Suspicious Directory", "effort": "advanced", "data_sources": ["File monitoring", "Windows event logs"], "description": "The file NTDS.dit is supposed to be located mainly in C:\\Windows\\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "CEF", "SentinelOne EDR", "ManageEngine ADAudit Plus", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "cf1ff94f-9041-4a19-bac8-a8daba0ef1ae", "name": "RDP Sensitive Settings Changed", "effort": "advanced", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects changes to RDP terminal service sensitive settings. Logging for registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0050de2e-5686-4ff5-a5a3-945db3704a6a", "name": "Aspnet Compiler", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the starts of aspnet compiler.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Tanium", "WithSecure Elements", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Juniper NGFW", "IBM iSeries", "Elastic AuditBeat Linux", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "b98f6724-3bb7-431a-a7f7-286df129460d", "name": "Mshta Command From A Scheduled Task", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects when an attacker leverage the Microsoft Windows Scheduled task feature to run the mshta.exe process. This is a common usage of a living-off-the-land binary, frequently abused for malicous purposes and not common nowadays in IT administration.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "25b09bc2-764e-4e3a-957d-963d84c76d5c", "name": "ACLight Discovering Privileged Accounts", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of ACLight tool. This tool aims to discover privileged accounts by scanning the network.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "WALLIX Bastion", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "NucleonEDR"]}, {"uuid": "2b37e436-1ddc-4f2c-8f4c-80732cfc83da", "name": "Werfault DLL Injection", "effort": "intermediate", "data_sources": ["Loaded DLLs", "DLL monitoring", "Windows event logs"], "description": "Werfault DLL search order look first in the current file, which lets an attacker use th legitimate exe to run its own DLL.  ", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b8d4c4e7-e464-4558-8683-5223eac0fd7e", "name": "Suspicious SAM Dump", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects suspicious SAM dump to AppData repository, as cause by QuarksPwDump and other password dumpers. Logging for Microsoft-Windows-Kernel-General Event ID 16 or Sysmon Event ID 11 is needed.", "attack": ["credential-access - Security Account Manager (T1003.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "76d74ba4-0fb5-4716-b3c4-153151ad923a", "name": "Netsh Allow Command", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Netsh command line to allow a program to pass through firewall.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "8eef02fe-9d04-4531-a4cb-10c4bf9c09f6", "name": "Disabled IE Security Features", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "14e6ee4d-c2f0-4d77-b6dd-c78dbd4ba038", "name": "Dism Disabling Windows Defender", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects windows defender disabled by dism.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "4acd0304-84f7-45f1-a006-1e528052a0b9", "name": "Chafer (APT 39) Activity", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects previous Chafer (APT 39) activity attributed to OilRig as reported in Nyotron report in March 2018.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)", "privilege-escalation - Windows Service (T1543.003)", "persistence - Modify Registry (T1112)", "command-and-control - DNS (T1071.004)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "3cac256a-24e5-4987-8e5c-9bb1ef453ef0", "name": "Evil Winrm Modules Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "This rule detects suspicious PowerShell activity consistent with the Evil-WinRM remote shell being executed via the Windows Remote Management host process", "attack": ["stealth - Clear Mailbox Data (T1070.008)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "6bc3ae62-4eaf-419d-a7b5-eb6779d5a565", "name": "Account Removed From A Security Enabled Group", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6a9ff610-8704-4640-9697-412443882dee", "name": "Suspicious New Printer Ports In Registry", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects a suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048. The CVE-2020-1048 consists in gaining persistence, privilege by abusing a flaw in the Print Spooler service to execute a payload whose path is stored in the registry key. To fully use this rule, prerequesites are logging for Registry events in the Sysmon configuration (events 12, 13 and 14).", "attack": ["execution - Exploitation for Client Execution (T1203)", "persistence - Modify Registry (T1112)", "privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e9a9ca55-4a47-4c61-b57e-3ba5682a1e17", "name": "Wmic Suspicious Commands", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects suspicious commands used by the process wmic to get informations on the system.", "attack": ["reconnaissance - Gather Victim Host Information (T1592)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "8959633b-8b2c-4b66-9850-010f8c4bec02", "name": "Microsoft Defender Antivirus History Directory Deleted", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Windows Defender history directory has been deleted. This could be an attempt by an attacker to remove its traces.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d71eaa48-288f-4d60-8759-63f9effb84a0", "name": "Check Point Harmony Mobile Application Forbidden", "effort": "master", "data_sources": ["Anti-virus"], "description": "Detects when someone attempts to access/use a forbidden application.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Check Point Harmony Mobile", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "13a5b176-0087-4cd9-b909-dfce285b9357", "name": "Ngrok Process Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects possible Ngrok execution, which can be used by attacker for RDP tunneling.", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "0397961b-e068-4a64-bfa2-f568e57eff69", "name": "Legitimate Process Execution From Unusual Folder", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects the execution of a legitimate, windows built-in process name from an unusual / suspicious folder. Legitimate folders are c:\\windows\\system32\\, \\SystemRoot\\system32\\, c:\\windows\\syswow64\\ and c:\\windows\\winsxs\\. Many malwares/attackers use legitimate names to masquerade but if they are not Administrator yet, they often can't write file into these legitimate folders.", "attack": ["stealth - Match Legitimate Resource Name or Location (T1036.005)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "Stormshield SES", "SentinelOne EDR", "Windows", "Akamai Guardicore On-Prem [BETA]", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "78136c52-61aa-4396-aff4-7559166be5d4", "name": "Netsh RDP Port Opening", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "c49423f5-775b-4244-84e0-d905d61bf13d", "name": "Enabling Restricted Admin Mode", "effort": "elementary", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when the restricted admin mode is enabled.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "fc0f3fd8-c16c-498b-87b3-c5675bd50730", "name": "Control Panel Items", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the malicious use of a control panel item", "attack": ["stealth - Control Panel (T1218.002)", "persistence - Event Triggered Execution (T1546)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "9fe468be-f66d-47cb-8756-425ca517a6ba", "name": "Gpresult Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects when an account uses gpresult to get information on gpo.", "attack": ["discovery - Permission Groups Discovery (T1069)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "bc5ba26d-5227-4d2a-9849-d7540b140460", "name": "Malicious Browser Extensions", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations.", "attack": ["persistence - Software Extensions (T1176)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "74e784d5-39ac-439c-9e98-1671c1e4621f", "name": "Suspicious PowerShell Invocations - Specific", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects suspicious PowerShell invocation command parameters.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "db8c0233-587a-4b72-b7c7-58ac8aa6cdde", "name": "Microsoft Defender Antivirus Threat Detected", "effort": "advanced", "data_sources": ["Windows event logs", "Anti-virus", "File monitoring"], "description": "Detection of a windows defender alert indicating the presence of potential malware", "attack": ["execution - User Execution (T1204)", "execution - Command and Scripting Interpreter (T1059)", "execution - System Services (T1569)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "16758c06-0570-455b-88ee-a169189099eb", "name": "Copying Browser Files With Credentials", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - Steal Web Session Cookie (T1539)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "cd699737-bd8e-4e7b-a692-78eed4f358ea", "name": "Rubeus Tool Command-line", "effort": "advanced", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it.", "attack": ["credential-access - OS Credential Dumping (T1003)", "credential-access - Kerberoasting (T1558.003)", "lateral-movement - Pass the Ticket (T1550.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "bf1252f1-4928-4071-956d-7372052c28c7", "name": "DC Shadow via Service Principal Name (SPN) creation", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects DCShadow via new Service Principal Name (SPN) creation ", "attack": ["defense-impairment - Rogue Domain Controller (T1207)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "d79ac837-e255-4109-8e8f-371d0ccacf61", "name": "Powershell AMSI Bypass", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "This rule aims to detect attempts to bypass AMSI in powershell using specific techniques.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e7300375-9ff7-4cd7-8a75-2a7a5a4ab95e", "name": "WiFi Credentials Harvesting Using Netsh", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the harvesting of WiFi credentials using netsh.exe.", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d6fdcde0-b389-437e-bfd2-f4f7c29163e9", "name": "WMI Install Of Binary", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e504890a-27fe-47fb-a998-91ef7352f1a5", "name": "Powershell Web Request And Windows Script", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects the use of PowerShell web request method combined with Windows Script utilities. This has been observed being used by some malware loaders.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "89d93ab3-c400-45e2-aa48-6015327b5129", "name": "Impacket Wmiexec Module", "effort": "elementary", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detection of impacket's wmiexec example, used by attackers to execute commands remotely.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "4b3cc041-788c-44c1-8b2a-3b4037155e6e", "name": "Disable Task Manager Through Registry Key", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "20a3eca9-7195-4b47-9592-89a0d4821bc5", "name": "AccCheckConsole Executing Dll", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5adfa036-938e-4d7f-bc3c-9c503d601e85", "name": "WMI Fingerprint Commands", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects attacker fingerprint activities based on the correlation of specific WMIC commands. This has been observed with Aurora malware.", "attack": ["execution - Windows Management Instrumentation (T1047)", "discovery - System Information Discovery (T1082)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "79ccc4f7-b22c-4c9e-8cd2-3e6d382fed1a", "name": "PowerShell Invoke Expression With Registry", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "PowerShell logs", "Windows event logs"], "description": "Detects keywords from well-known PowerShell techniques to get registry key values", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "88635016-2f52-4ebb-a4d5-35a4a6d85a44", "name": "Lsass Access Through WinRM", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects the access of LSASS.exe process through Windows Remote Management (WinRM) protocol. This is often done using Invoke-Mimikatz -ComputerName command, which uses PSRemoting and therefore WinRM. However, this is not limited to the Mimikatz threat and can be done by other tools as well. This rule needs Process Access monitoring, which can be done using Sysmon's event ID 10.", "attack": ["credential-access - LSASS Memory (T1003.001)", "lateral-movement - Windows Remote Management (T1021.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "39d1fe65-c708-4698-aa2f-1a87e2401bcb", "name": "WMIC Loading Scripting Libraries", "effort": "master", "data_sources": ["Loaded DLLs", "Windows event logs"], "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).   The rule requires to log Loaded DLLs to work properly, which can be done using Sysmon Event ID 7.", "attack": ["stealth - XSL Script Processing (T1220)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "3f741476-a472-45e4-b1ca-13d5dcc27954", "name": "Exfiltration Via Pscp", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of pscp which is a file sharing services.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "8d5e2aca-32c9-499c-850b-50c0e5e1d975", "name": "AMSI Deactivation Using Registry Key", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable the AMSI provider by deleting the associated registry key.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "6bc97fc1-d93b-4dae-94dd-1346b06c5954", "name": "Active Directory Data Export Using Csvde", "effort": "elementary", "data_sources": ["Process command-line parameters", "Windows event logs"], "description": "Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.", "attack": ["discovery - Domain Account (T1087.002)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "ca46a4b4-1dc1-4db2-956b-c47e43908fea", "name": "Powershell Web Request", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs", "Process use of network"], "description": "Detects the use of various web request methods executed remotely via Windows PowerShell.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Juniper NGFW", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "32697b17-fd2a-419a-8177-918c3b63518d", "name": "Privileged AD Builtin Group Modified", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects changes to privileged AD builtin groups in Active Directory that could indicate malicious or unexpected administrative activity. This detection rule detects changes on specific groups that are Administrators (S-1-5-*-500), Domain Admins (S-1-5-*-512), Enterprise Admins (S-1-5-*-519), Schema Admins (S-1-5-*-518), Account Operators (S-1-5-32-548) and Backup Operators (S-1-5-32-551).", "attack": ["impact - Account Access Removal (T1531)", "privilege-escalation - Account Manipulation (T1098)", "privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "16b0ac29-35b0-4289-9aab-9a50aaf4433b", "name": "Suspicious VBS Execution Parameter", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects suspicious VBS file execution with a specific parameter by cscript. It was observed in the Operation CloudHopper.", "attack": ["execution - Scripting (T1064)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "b4706924-a715-4122-b1ae-878be138d08e", "name": "Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects persistence registry keys. Logging for Registry events is needed, it can be done in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Image File Execution Options Injection (T1546.012)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d946bb55-1c73-4203-9d4d-1d1f48f7c80a", "name": "MOFComp Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects rare usage of the Managed Object Format (MOF) compiler on Microsoft Windows. This could be abused by some attackers to load WMI classes.", "attack": ["execution - CMSTP (T1191)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "40b4f324-5ddf-4d22-8bb2-917c1502daaa", "name": "Microsoft Defender Antivirus Disable Using Registry", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line or PowerShell scripts.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "70b511b8-9cbe-4fc0-832a-7b154e41b510", "name": "Csrss Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "009fb9b0-0947-4576-a6d9-3d0793e569c4", "name": "HTA Infection Chains", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "File monitoring"], "description": "Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "Stormshield SES", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiGate", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Sekoia.io Endpoint Agent", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "831349f2-8ca5-46e3-b3ea-38acd4b503d4", "name": "FoggyWeb Backdoor DLL Loading", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects DLL image load activity as used by the threat group NOBELIUM with the FoggyWeb backdoor loader. The prerequisite is to log Loaded DLLs images, which can be done through the Sysmon Event ID 7 (DLL image loaded by process).", "attack": ["execution - Shared Modules (T1129)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "2577b765-2fcd-482c-bcb9-322834834039", "name": "Svchost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the svchost.exe process was executed by a non-legitimate parent process. Svchost (Service Host Process) is a generic host process name for services that run from dynamic-link libraries (DLLs).", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "3bb10488-630f-472d-8ac0-fe9b9e361df7", "name": "QakBot Process Creation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects QakBot like process executions", "attack": ["execution - Visual Basic (T1059.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "1802d30d-4ca0-454f-911e-7216c57e031d", "name": "Dllhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "edf13c0b-dbd3-4c96-94ce-edf31ffe8974", "name": "Windows Defender Deactivation Using PowerShell Script", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects attempts to deactivate Windows Defender with PowerShell using ScriptBlockLogging.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e49ab6e6-0fb7-47f8-95b0-404ec3b41b31", "name": "Suspicious Control Process", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects suspicious execution of control.exe process when used to execute a DLL file.", "attack": ["stealth - Control Panel (T1218.002)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "3d0d02b2-525d-4a65-8f2d-c2f8090f1763", "name": "GPO Executable Delivery", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects MSI binaries run through GPOs.", "attack": ["privilege-escalation - Group Policy Modification (T1484.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "be8b8ef3-34f3-4d3f-9d37-b9812f52b3de", "name": "Anomaly Bruteforce - User Enumeration", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high number of TGT failed or NTLM authent failed associate to error code username don't exist who could indicate user enumeration", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "e25a1cc6-7c0d-47f7-8fe0-cd4032193474", "name": "StoneDrill Service Install", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky ", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "23153907-a43c-4c66-aa9c-881734674ef7", "name": "Admin User RDP Remote Logon", "effort": "master", "data_sources": ["Windows event logs", "Authentication logs"], "description": "Detects remote login through Remote Desktop Protocol (RDP) by Administrator user depending on internal pattern. Check before activation the identifiable administrators usernames (pattern or special unique character (\"Admin*\") to adapt and add some filtering.", "attack": ["initial-access - Valid Accounts (T1078)", "initial-access - Default Accounts (T1078.001)", "initial-access - Domain Accounts (T1078.002)", "initial-access - Local Accounts (T1078.003)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "eee87513-7638-4666-82cf-e8cc124c825f", "name": "NlTest Usage", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "VMware ESXi", "Windows Log Insight", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "c3d29b84-d7b8-406a-b951-dfa9b60ba618", "name": "Cobalt Strike Named Pipes", "effort": "master", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects the pipes established by Cobalt Strike to allow a communication between its beacons.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c0307ec4-9ffc-4d67-be9f-24a5cad89d1a", "name": "Disable Windows Defender Credential Guard", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects registry keys being changed to disable Windows Defender Credential Guard. The rule requires to log Registry Keys modifications or creations, which can be done using Sysmon Event IDs 12,13 and 14.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "e1ca8aec-fb1f-4db5-a37b-67fd092447d9", "name": "Credential Dumping Tools Service Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects well-known credential dumping tools execution via service execution", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)", "credential-access - DCSync (T1003.006)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "cd520037-1575-43c4-b1d1-543a6c87fc12", "name": "Correlation PowerShell Suspicious DLL Loading", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs", "PowerShell logs"], "description": "Detect some suspicious Windows DLL Loading where some PowerShell activity from the binary itself, followed by the same DLL process spawning other process. This is related to the usage of a PowerShell Named Pipe IPC from the DLL.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Juniper NGFW", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "25fff605-a108-44c0-b13e-776613d2353d", "name": "Antivirus Web Shell Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports a web shell. This is based on Windows Defender logs (Event ID 1116 and 1117).", "attack": ["privilege-escalation - Web Shell (T1100)", "persistence - Web Shell (T1505.003)"], "intake-formats": ["Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "ea64614a-f7d4-48f9-9441-baf34f9fa846", "name": "FLTMC command usage", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of fltmc to list and load/unload a filter driver.", "attack": ["stealth - Indicator Blocking (T1562.006)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0fd6778f-c265-4a93-b736-1754778db1a1", "name": "PowerCat Function Loading", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b8b4743b-1803-42d0-bc49-0504bd4f60be", "name": "Domain Trust Discovery Through LDAP", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. \"trustedDomain\" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.)", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5925ae97-0174-42cf-8910-1ceaf38cbc51", "name": "Windows Registry Persistence COM Key Linking", "effort": "master", "data_sources": ["Process command-line parameters", "Windows event logs", "Windows Registry"], "description": "Detects COM object hijacking via TreatAs subkey. Logging for Registry events is needed in the Sysmon configuration with this kind of rule `<TargetObject name=\"testr12\" condition=\"end with\">\\TreatAs\\(Default)</TargetObject>`.", "attack": ["persistence - Component Object Model Hijacking (T1122)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "182a969f-1abf-406e-af0b-eb6a19f7e2f1", "name": "Suspicious DLL Loaded Via Office Applications", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects suspicious DLL being loaded by an Microsoft Office Product. Considered as suspects are some .NET DLLs, clr.dll, GAC DLL, DSParse (Active Directoryi services API) or Kerberos DLLs which may be loaded by MS Office processes when executing a potentially malicious macro. The prerequisite is to log the Sysmon Event ID 7 (DLL image loaded by process). ", "attack": ["execution - Malicious File (T1204.002)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "bfe00bf4-3bd0-4ae1-8485-6ef02c1d8fb9", "name": "Suspect Svchost Memory Access", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom (v1.0) to kill the winRM windows event logging service.", "attack": ["stealth - Disable Windows Event Logging (T1562.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "dfe59316-6998-4f01-bf1e-54272bf4702d", "name": "Credential Dumping-Tools Common Named Pipes", "effort": "master", "data_sources": ["Windows event logs", "Named Pipes"], "description": "Detects well-known credential dumping tools execution via specific named pipes. Prerequisites: Logging for PipeEvents is needed in Sysmon config", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "c487b4fa-753d-421a-a34e-8f5dfdb3a3b3", "name": "RUN Registry Key Created From Suspicious Folder", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13).", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "555744c3-546c-48f5-ba5e-37ea54925edc", "name": "NjRat Registry Changes", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "Windows Registry"], "description": "Detects changes for the RUN registry key which happen when a victim is infected by NjRAT. Please note that even if NjRat is well-known for the behavior the rule catches, the rule is a bit larger and could catch other malwares.", "attack": ["privilege-escalation - Boot or Logon Autostart Execution (T1547)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "44c29ab4-0e7c-44c9-b1a2-0501c8ce6d2c", "name": "Raccine Uninstall", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a7d43735-57ac-4ebc-9c79-c49585e80ca2", "name": "Windows Registry Persistence COM Search Order Hijacking", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects potential COM object hijacking leveraging the COM Search Order. Logging for Registry events is needed, it can be done with Sysmon's Event IDs 12 and 13. Alert filters are highly encouraged for such kind of rule.", "attack": ["execution - DLL (T1574.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "d661cc14-7a5f-4340-ac3e-a29cb7f709d8", "name": "LSASS Access From Non System Account", "effort": "master", "data_sources": ["Authentication logs", "Process monitoring", "Windows event logs"], "description": "Detects LSASS Access from Non System Account (e.g. Mimikatz)", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "7ba47e1a-348d-4601-8615-58e563faf382", "name": "XSL Script Processing And SquiblyTwo Attack", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detection of an attack where adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Another variation of this technique, dubbed \"Squiblytwo\", involves to invoke JScript or VBScript within an XSL file.", "attack": ["execution - Windows Management Instrumentation (T1047)", "stealth - XSL Script Processing (T1220)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "6e951873-3b53-4f9f-880a-17ace5f961be", "name": "Microsoft IIS Module Installation", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the installation of a new IIS module from the command line. It can used used to backdoor an IIS/OWA/Sharepoint server.", "attack": ["persistence - Server Software Component (T1505)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "83a1d213-21c1-4d6b-8443-a120d5396388", "name": "Suspicious Hostname", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects suspicious hostnames such as ones with kali in it, to detect kali linux default hosts, but also other hostnames commonly used in attacks. List can be improved according to the environment.", "attack": ["command-and-control - Proxy (T1090)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "1054ba23-0b61-4a63-a6cc-97002c866b16", "name": "Dumpert LSASS Process Dumper", "effort": "elementary", "data_sources": ["Windows event logs", "File monitoring"], "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["OpenSSH", "SentinelOne Cloud Funnel 2.0", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "a91895dd-6bec-4eff-a763-bcfdff16bf53", "name": "Smbexec.py Service Installation", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "56f0b1ff-3ace-49e4-a15a-e14e497ac81b", "name": "Turla Named Pipes", "effort": "elementary", "data_sources": ["Named Pipes", "Windows event logs"], "description": "Detects a named pipe used by Turla group samples. Prerequisites: Logging for PipeEvents is needed in Sysmon config", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "080fe7db-82bb-497e-a501-a6601c88fa64", "name": "Net.exe User Account Creation", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Identifies creation of local users via the net.exe command", "attack": ["persistence - Create Account (T1136)", "persistence - Local Account (T1136.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "8c0b66bf-566c-4e75-b530-ac9792613020", "name": "Powershell UploadString Function", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "4830f5fd-6fcd-4d72-9b7d-f6ff2453b2d4", "name": "xWizard Execution", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "31aa72ec-1732-4d71-99e9-bce6d16b72f1", "name": "CMSTP UAC Bypass via COM Object Access", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "e53002a2-3df4-489c-9b98-ded5fe067c22", "name": "WMI DLL Loaded Via Office", "effort": "master", "data_sources": ["Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Detects Windows Management Instrumentation (WMI) DLL loaded via Office process. This activity may correspond to VBA macro executing WMI commands, which is highly suspicious. The prerequisite is to log Loaded DLLs images, which can be done with the Sysmon Event ID 7 (DLL image loaded by process).", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - Visual Basic (T1059.005)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "25fe5bd5-edac-49d6-a8c5-b70365ef7282", "name": "Account Added To A Security Enabled Group", "effort": "master", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "68fbcc4d-b765-4ca8-8635-b0e54ab6830b", "name": "Remote Service Activity Via SVCCTL Named Pipe", "effort": "master", "data_sources": ["Process use of network", "Windows event logs"], "description": "Detects remote service activity via remote access to the svcctl named pipe", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "563cccb9-2a2c-4dfa-962d-9b50e3bc7ba9", "name": "LSASS Memory Dump", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects process accessing LSASS memory which is typical for credentials dumping tools. The rule requires Sysmon EventID 10 to work as it is based on the GrantedAccess mask.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b84eba5c-aa97-4095-96f5-126b115d60b5", "name": "Windows Update LolBins", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "This rule try to detect a suspicious behavior of wuauclt.exe (windows update client) that could be a lolbins. Wuauctl.exe could be used to execute a malicious program.", "attack": ["execution - System Services (T1569)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "a8a0e7b8-6101-454f-82d2-3bc7464b7196", "name": "BITSAdmin Download", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system.", "attack": ["execution - BITS Jobs (T1197)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "1a92bab6-55fc-465f-8997-e82ee22bf7fe", "name": "CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs", "Loaded DLLs", "DLL monitoring", "File monitoring"], "description": "Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cisco NX-OS", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "CEF", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "c04c3082-3ddc-4e49-a31e-187c2e47e087", "name": "DCSync Attack", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects DCSync attack, it is highly likely that the post-exploitation tool Mimikatz was executed.", "attack": ["credential-access - DCSync (T1003.006)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "6e583c47-95ad-43e5-9664-496ca1ffdf72", "name": "DNS Query For Iplookup", "effort": "master", "data_sources": ["Windows event logs", "Network protocol analysis", "Process use of network", "Web proxy"], "description": "Detects dns query of observables tagged as iplookup.", "attack": ["reconnaissance - Gather Victim Host Information (T1592)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "OpenSSH", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "9cafb059-31f6-42fe-ad29-bd65c7e35aa3", "name": "DLL Load via LSASS Registry Key", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key. Prerequisites are logging for Registry events. This can be done with Sysmon events 12, 13 and 14 and monitor `SYSTEM\\CurrentControlSet\\Services`.", "attack": ["privilege-escalation - LSASS Driver (T1547.008)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "9b0a9e42-2aa0-422f-958f-0285be1e208d", "name": "WMIC Command To Determine The Antivirus", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "WMI Objects"], "description": "Detects WMIC command to determine the antivirus on a system, characteristic of the ZLoader malware (and possibly others)", "attack": ["discovery - Security Software Discovery (T1518.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a1eacabd-f606-470a-be6e-8ecfaa5e5ad2", "name": "User Account Created", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720. ", "attack": ["persistence - Local Account (T1136.001)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "02ff3e37-a71c-4304-b189-9aa81a6bff68", "name": "Schtasks Suspicious Parent", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects schtasks started from suspicious and/or unusual processes.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "365c4283-cb09-4f92-b5eb-437df95e2fc0", "name": "Elevated Msiexec Via Repair Functionality", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects when msiexec.exe is used with the repair functionality. The process gains elevated privileges. Attackers can use this to exploit the CVE-2024-38014.", "attack": ["execution - Hijack Execution Flow (T1574)", "resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "a3d00d0d-b6fc-4b5a-a0c6-6cd7c1517566", "name": "Spyware Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring).", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "df27455e-5eed-4c88-92d6-7de7e4e75985", "name": "AD Object WriteDAC Access", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects WRITE_DAC access to a domain object. This requires Windows Event ID 4662.", "attack": ["defense-impairment - File and Directory Permissions Modification (T1222)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "931d340a-b02b-4c2a-8f57-b733dc3d44b3", "name": "SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the SeEnableDelegationPrivilege right in Active Directory granted to a user of a computer, it would allow control of other AD user objects", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e1483826-c586-42e5-b59f-c2b8feae04c6", "name": "Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detects PowerShell SnapIn command line or PowerShell script, often used with Get-Mailbox to export Exchange mailbox data.", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "67b48f71-fc80-48fd-a2c6-6329834aa880", "name": "Rare Lsass Child Found", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "3d2f058e-32c7-4048-981f-7d0f19cfcca4", "name": "UAC Bypass via Event Viewer", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects UAC bypass method using Windows event viewer. ", "attack": ["privilege-escalation - Bypass User Account Control (T1548.002)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "fb4fe860-cd20-48ea-8917-aab8e1982cb2", "name": "Microsoft Defender Antivirus History Deleted", "effort": "master", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Windows Defender history has been deleted. Could be an attempt by an attacker to remove its traces.", "attack": ["stealth - Clear Windows Event Logs (T1070.001)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "188ed422-2740-4527-af39-b7cbcefe4adc", "name": "PowerView commandlets 2", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.", "attack": ["discovery - System Service Discovery (T1007)", "discovery - Remote System Discovery (T1018)", "discovery - Account Discovery (T1087)", "discovery - Network Share Discovery (T1135)", "discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "dbdc0d79-58ea-4c58-9835-6f16ea2a5d22", "name": "Suspicious Taskkill Command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects rare taskkill command being used. It could be related to Baby Shark malware.", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - PowerShell (T1059.001)", "discovery - Query Registry (T1012)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b38d9bc6-12ba-448c-9cde-b4ff036c5efa", "name": "Compress Data for Exfiltration via Archiver", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects data compressed by specific tools.", "attack": ["collection - Archive via Utility (T1560.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "c0c5af8d-3d78-4369-a84b-4e576e6659dc", "name": "Microsoft Defender Antivirus Disable Services", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender through command line and registry.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5b92ffea-77ca-4234-9318-0465d975dde7", "name": "Netsh Program Allowed With Suspicious Location", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects Netsh commands that allow a suspcious application location on Windows Firewall, seen on kasidet worm. Last part of the existing rule (commandline startwith) was not added to this rule because it is not relevant.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["OCSF", "Trend Micro Vision One OAT [BETA]", "Sekoia.io Endpoint Agent", "Tanium", "WithSecure Elements", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "f99c576f-dd7e-4392-80a0-9b597198f966", "name": "Suspicious LDAP-Attributes Used", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. Careful as the 5136 is only on domain controllers and needs to be activated through the Group Policy.", "attack": ["command-and-control - Application Layer Protocol (T1071)", "command-and-control - Protocol or Service Impersonation (T1001.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "5d0c9fbe-96f8-4ed8-8c9a-3a0d53e62769", "name": "PowerView commandlets 1", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.", "attack": ["discovery - System Service Discovery (T1007)", "discovery - Remote System Discovery (T1018)", "discovery - Account Discovery (T1087)", "discovery - Network Share Discovery (T1135)", "discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "01f0e538-fe49-4aa1-b5cc-f38e8a3f5d32", "name": "File Or Folder Permissions Modifications", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.", "attack": ["defense-impairment - Windows Permissions (T1222.001)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "8b93f48b-6386-4da6-ac41-1d02a66cf84a", "name": "Putty Sessions Listing", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters"], "description": "Detects attempts to list Putty sessions through registry. To fully work, this rule requires to log registry accesses, which can be done with the Windows Event ID 4656 or 4663 but for that specific configuration is needed.", "attack": ["discovery - Query Registry (T1012)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "57f58e5c-3711-4e22-834d-5aedd5cf6efa", "name": "JS PowerShell Infection Chains", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detect JS script execution who run a PowerShell download and exec command_line", "attack": ["execution - JavaScript (T1059.007)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0"]}, {"uuid": "34eb0d4a-dd99-48ae-ae49-a13eb8e31ea4", "name": "Outlook Registry Access", "effort": "master", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information.", "attack": ["collection - Local Email Collection (T1114.001)", "credential-access - Credentials in Registry (T1552.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5b4578b4-8c19-431a-a4f6-fc9e6223fb61", "name": "Suspicious PowerShell Keywords", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "ad9fbd19-cf5e-4a67-90ac-4e457797d04e", "name": "Windows Suspicious Service Creation", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the creation of a new suspicious service - attacker could use MSRPC to create a remote service", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "1c9f3d57-e6e0-4cd2-90e4-5b62a85607bf", "name": "Opening Of a Password File", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Command line detection of common office software opening some password related file. It could be a security breach if an unauthorized user access it.", "attack": ["credential-access - Unsecured Credentials (T1552)", "credential-access - Credentials In Files (T1552.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "13a9c3fa-5a75-466b-a882-a6aed437fb53", "name": "Disabling SmartScreen Via Registry", "effort": "elementary", "data_sources": ["Windows Registry"], "description": "Detects when a user disables smartscreen.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "ac2a3f0a-fdc2-4c77-8c94-f4e211853745", "name": "PowerShell EncodedCommand", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.", "attack": ["execution - PowerShell (T1059.001)", "stealth - Obfuscated Files or Information (T1027)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "97ea4517-1d60-4da6-a9eb-9b17ab0a8419", "name": "Microsoft Malware Protection Engine Crash", "effort": "intermediate", "data_sources": ["Windows Error Reporting", "Windows event logs"], "description": "Detects a crash of the Microsoft Malware Protection Engine process (MsMpEng.exe), which is suspicious and could be related to an attacker disabling the Windows protection.", "attack": ["stealth - Exploitation for Stealth (T1211)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Elastic Winlogbeat", "Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "87b56b41-89e8-41fd-b6dd-e70b1f5f15d7", "name": "PowerShell Download From URL", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects a Powershell process that contains download commands in its command line string.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "98f8d96e-ac28-4aaa-a718-bc62d6dddfd3", "name": "Remote Monitoring and Management Software - AnyDesk", "effort": "master", "data_sources": ["Process monitoring", "Network protocol analysis", "Services", "Windows Registry", "File monitoring"], "description": "Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Unbound", "GraphAPI for Microsoft Entra ID / Azure AD", "Microsoft Intune", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Delinea PRA", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "Windows Log Insight", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "OCSF", "AWS CloudTrail", "Github Audit logs", "Claroty xDome", "Daspren Parad", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Proofpoint TAP", "WithSecure Elements", "Google Kubernetes Engine", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "Elastic AuditBeat Linux", "Sophos EDR", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "WALLIX Bastion", "SonicWall Firewall", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "22251b0b-221c-42b9-856a-334233ea9ca8", "name": "Cobalt Strike Default Beacons Names", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "Detects the default names of Cobalt Strike beacons / payloads.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "3e4d0b72-9677-4e32-8640-2ee73ed63475", "name": "Denied Access To Remote Desktop", "effort": "intermediate", "data_sources": ["Windows event logs", "Process use of network"], "description": "Detects when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. This event can be generated by attackers when searching for available windows servers in the network. This rule detects only users from external network.", "attack": ["lateral-movement - Remote Desktop Protocol (T1021.001)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "8722a2e7-4525-4b2e-b54e-21dc67702b4c", "name": "Rebooting", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when forcing a computer to shutdown.", "attack": ["impact - System Shutdown/Reboot (T1529)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Cybereason EDR activity", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5eb6a468-d566-449c-8aaa-62d58be21ecc", "name": "Suspicious Rundll32.exe Executions", "effort": "intermediate", "data_sources": ["DLL monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The process rundll32.exe executes a newly dropped DLL with update /i in the command line. This specific technic was observed at least being used by the IcedID loading mechanism dubbed Gziploader. Some other detections are related to LOLBAS (Living Off The Land Binaries, Scripts and Libraries) usages (like the COM registering).", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b870d799-eac6-4e02-8f38-e796ec8dd09b", "name": "Qakbot Persistence Using Schtasks", "effort": "intermediate", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects possible Qakbot persistence using schtasks.", "attack": ["privilege-escalation - At (T1053.002)", "privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "c7c06923-5ab4-43c4-99ff-520720a06819", "name": "CertOC Loading Dll", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "attack": ["stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a46e93c0-1224-4a15-85c9-93144c6bdeaa", "name": "Netsh Port Opening", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that opens a specific port. Can be used by malware or attackers for lateralisation/exfiltration (e.g. SMB/RDP opening).", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "a0802a29-5197-4a83-8081-23941bbcb490", "name": "Winlogon wrong parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Winlogon.exe is a process that performs the Windows login management function, handling user login and logout in Windows. You see this process in action whenever the operating system asks you for your username and password. It is also responsible for loading user profiles after login, this supports automated login (when relevant) and keyboard and mouse inactivity monitoring to decide when to invoke the screen saver. This rule analyse if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "915199d4-f42f-4185-8fd0-46da4dbc7c63", "name": "Correlation Impacket Smbexec", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "This rule detects the execution of smbexec via the relevant share pattern name ", "attack": ["lateral-movement - SMB/Windows Admin Shares (T1021.002)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "1ebf45bc-bed5-45de-a67e-61e9d8363416", "name": "Suspicious Double Extension", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "6f353c04-8b20-42e3-960d-b9aec37b9fce", "name": "Suspicious CodePage Switch with CHCP", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects a code page switch in command line", "attack": ["execution - Windows Command Shell (T1059.003)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "ab7baed3-30cf-4e7a-9eba-04a34b58581d", "name": "PowerShell Credential Prompt", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential(\"Need credentials\", \"Please enter your user name and password.\", \"\", \"NetBiosUserName\"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "f87da5a5-5ed9-4553-a117-4c20565a8a28", "name": "Impacket Secretsdump.py Tool", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects credential dumping via secretdump of impacket suite.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)", "credential-access - LSA Secrets (T1003.004)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "0687aa4a-474b-48fe-9c64-743bd5507047", "name": "AD User Enumeration", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects access to a domain user from a non-machine account. This requires Windows Security Event ID 4662 and could be triggered by some administrators configuring new users.", "attack": ["discovery - Account Discovery (T1087)", "discovery - Domain Account (T1087.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "39b1259f-aa2a-4b33-a192-806db7d5cde4", "name": "NTDS.dit File Interaction Through Command Line", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.", "attack": ["credential-access - NTDS (T1003.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "7f3c74d8-2d97-4d74-95ac-cf037fc19307", "name": "Creation or Modification of a GPO Scheduled Task", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects lateral movement using GPO scheduled task, often used to deploy ransomware at scale. This rule is based on the EventID 5145 which is specific to Windows Servers. The advanced audit policy setting Object Access > Audit Detailed File Share must be configured for Success/Failure.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)", "privilege-escalation - Group Policy Modification (T1484.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "3705b1c4-1dd2-4995-95ce-994b20905674", "name": "Credential Dump Tools Related Files", "effort": "advanced", "data_sources": ["File monitoring"], "description": "Detects processes or file names related to credential dumping tools and the dropped files they generate by default.", "attack": ["credential-access - LSASS Memory (T1003.001)", "credential-access - Security Account Manager (T1003.002)", "credential-access - NTDS (T1003.003)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Cloudflare Gateway HTTP", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Google Workspace / ChromeOS", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Fortinet FortiProxy", "Tanium", "WithSecure Elements", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Mimecast Email Security", "SonicWall Firewall", "Palo Alto NGFW", "Broadcom Siteminder", "Proofpoint PoD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiMail", "Fortinet FortiGate", "ManageEngine ADAudit Plus", "Trellix Advanced Threat Defense", "Cato Networks SASE", "Cisco Secure Firewall", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "BeyondTrust PRA Team [BETA]", "Palo Alto Prisma access", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "76d328dc-d88f-4f3e-af05-c01a49f70904", "name": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module. Logging for Registry events is needed, it can be done in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - Office Application Startup (T1137)", "persistence - Event Triggered Execution (T1546)"], "intake-formats": ["Stormshield SES", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "Sekoia.io Endpoint Agent"]}, {"uuid": "d844b812-6c8e-49a2-9807-f7359783601e", "name": "Microsoft Office Macro Security Registry Modifications", "effort": "master", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "Detects registry changes allowing an attacker to make Microsoft Office products runs Macros without warning. Events are collected either from ETW/Sysmon/EDR depending of the integration.", "attack": ["privilege-escalation - Registry Run Keys / Startup Folder (T1547.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d14c1bc0-2781-475f-9bc0-b5afa2105a66", "name": "Credential Harvesting Via Vaultcmd.exe", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects when the process vaultcmd is used for credential harvesting.", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "e918b614-f50d-4717-84de-91e3339a89c5", "name": "Exploiting SetupComplete.cmd CVE-2019-1378", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378.", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)", "execution - Windows Command Shell (T1059.003)", "execution - Hijack Execution Flow (T1574)"], "intake-formats": ["OCSF", "Trend Micro Vision One OAT [BETA]", "Sekoia.io Endpoint Agent", "Tanium", "WithSecure Elements", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "8c2a5ca5-ad13-412d-bd58-188c6a3c24ff", "name": "Svchost DLL Search Order Hijack", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "Windows event logs"], "description": "Detects svchost process hijacking through DLL loading. IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.", "attack": ["execution - DLL Side-Loading (T1574.002)", "execution - DLL (T1574.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "4891a71e-5f18-4b33-8dc2-0035a07c5aa5", "name": "Language Discovery", "effort": "advanced", "data_sources": ["Windows Registry"], "description": "Detects when a user makes a query on the language of the system.", "attack": ["discovery - System Language Discovery (T1614.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e835209b-7541-4ff8-945f-f0334fb71ef9", "name": "External Disk Drive Or USB Storage Device", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects external diskdrives or plugged in USB device.", "attack": ["initial-access - Replication Through Removable Media (T1091)", "initial-access - Hardware Additions (T1200)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "b4fca87a-a0e6-4024-8680-72c9b2fdaf9b", "name": "TrustedInstaller Impersonation", "effort": "intermediate", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "The rule detects attempts to impersonate TrustedInstaller. TrustedInstaller rights could allow a threat actor to delete or modify protected file or create/delete/modify files in protected folders. This technique is used by threat actors to disable Windows Defender.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "5fce554b-d8fb-4615-8f46-3d7e6edef182", "name": "Compression Followed By Suppression", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects when a file is compressed and deleted.", "attack": ["stealth - File Deletion (T1070.004)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "31aaeb8a-d1ba-4c9e-9664-15ad363dcbec", "name": "In-memory PowerShell", "effort": "master", "data_sources": ["DLL monitoring", "Loaded DLLs", "PowerShell logs", "Process monitoring"], "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension and tool such PowerShDll.", "attack": ["execution - PowerShell (T1086)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f7be969d-eb10-43f5-a5d3-0bae05c0e0c6", "name": "Correlation Admin Files Checked On Network Share", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects requests to multiple admin files on a network share. This could be an attacker performing reconnaissance steps on the system.", "attack": ["discovery - Network Share Discovery (T1135)"], "intake-formats": ["Cisco NX-OS", "NeroSwarm Honeypot", "BeyondTrust Privileged Remote Access Session", "NucleonEDR", "Cybereason EDR activity", "VMware vCenter", "Sophos Analysis Threat Center", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "19f78171-3d98-432e-9d41-81de6ca201e0", "name": "Windows Suspicious Scheduled Task Creation", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule identify creation of new scheduled task who run suspicious commands.", "attack": ["privilege-escalation - Scheduled Task (T1053.005)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "440aa4b1-56d2-4622-b414-3fc38bd4fbf5", "name": "Certify Or Certipy", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.", "attack": ["privilege-escalation - Exploitation for Privilege Escalation (T1068)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Bitdefender GravityZone", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "F5 BIG-IP", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "Google Kubernetes Engine", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "NucleonEDR", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "WALLIX Bastion", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "b809c668-c8c7-4380-bf13-ff74783e72e9", "name": "Antivirus Exploitation Framework Detection", "effort": "elementary", "data_sources": ["Windows event logs", "Anti-virus"], "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework. This is based on Windows Defender logs (Event ID 1116 and 1117). ", "attack": ["execution - Exploitation for Client Execution (T1203)", "command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "2d831218-da56-4591-9fed-90553de56c8b", "name": "Hijack Legit RDP Session To Move Laterally", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "attack": ["execution - Services File Permissions Weakness (T1574.010)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Sophos Analysis Threat Center", "Daspren Parad", "Juniper NGFW", "IBM iSeries", "SonicWall Firewall", "Stormshield SES", "CEF", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "a4e7431f-7114-42d9-a5f5-957a8ba98469", "name": "Office Application Startup Office Test", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started. An adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system.", "attack": ["persistence - Office Test (T1137.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "9e65a56f-af6e-4fec-8346-7df35d58bc4f", "name": "Inhibit System Recovery Deleting Backups", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "PowerShell logs"], "description": "Detects adversaries attempts to delete backups or inhibit system recovery. This rule relies on differents known techniques using Windows events logs from Sysmon (ID 1), and PowerShell (ID 4103, 4104).", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "0ad5f1bf-034e-4a90-868f-a463ac06dcd7", "name": "Searchindexer Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Search Indexer was executed by a non-legitimate parent process. Search Indexer is the Windows service that handles indexing of your files for Windows Search.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "15c00b38-8b0d-454b-8183-5fb451cb0f7a", "name": "Wdigest Enable UseLogonCredential", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Windows Registry"], "description": "Detects modification of the Windows Registry value of HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential. This technique is used to extract passwords in clear-text using WDigest. The rule requires to log for Registry Events, which can be done using Sysmon Event IDs 12, 13 and 14.", "attack": ["persistence - Modify Registry (T1112)", "credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "9ccf98d7-1100-417d-a71f-3a4a222cbd22", "name": "Active Directory Delegate To KRBTGT Service", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects potential persistence installation from an already compromised administrator domain account. The attacker will create a TGT and abuse a service account with the constrained delegation and update it with the krbtgt service. The detection relies on the Event ID 4738.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "496c08a1-84ac-4e05-aeef-26daadcf455a", "name": "Wmic Process Call Creation", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8ce183b9-22eb-4cbe-815a-d624693db2bd", "name": "Suspicious Mshta Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious mshta.exe execution patterns, either involving file polyglotism, remote file (http, ftp or ldap) or suspicious location. This technique is often used by threat actors.", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "stealth - Mshta (T1218.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "c2fb9898-12b2-403c-9252-2591abdc5ca5", "name": "Taskhost or Taskhostw Suspicious Child Found", "effort": "master", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Task Host manages pop-up windows when users try to close them in a Windows environment. Taskhost.exe triggers the host process for the task. Task Host is a Windows process designed to alert users when dialog boxes close. It is usually launched when restarting and shutting down a PC, and checks if all programs have been properly closed. This process should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "74f9cbff-7200-47a0-8c27-118ff10a3ec9", "name": "HackTools Suspicious Process Names In Command Line", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "12ca53fd-8f6a-4556-a5a5-7b40625b4acc", "name": "Usage Of Procdump With Common Arguments", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns.", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a51ad4d2-3e22-4c27-a527-84b5d78d1736", "name": "Winword Document Droppers", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific process characteristics of word document droppers. This techniques has been used by Maze ransomware operators.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "74151423-36bd-4f3f-634d-24b4f47ea186", "name": "Correlation Internal Kerberos Password Spraying", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detect multiple Kerberos authentication failed on several account from one source", "attack": ["credential-access - Password Spraying (T1110.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "86b48d11-261d-4d65-9beb-7ff7b60d22c7", "name": "Unsigned Image Loaded Into LSASS Process", "effort": "advanced", "data_sources": ["DLL monitoring", "Loaded DLLs", "Process monitoring", "Windows event logs"], "description": "Loading unsigned image (DLL, EXE) into LSASS process. To activate this rule you need to monitor loaded images into the LSASS process, this can be done with SYSMON Event ID 7.", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "b9a3eb18-7b0f-4408-8e4b-c697d1eea8e6", "name": "WerFaultSecure Abuse", "effort": "advanced", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detect usage of the software vulnerability of WerFaultSecure to suspend the processes of EDRs, and bypass detection. It has been implemented in the tool EDR-Freeze.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "aa416c69-e9d7-417a-90f1-a29e1cf065e3", "name": "Csrss Child Found", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This process  should not create a child process or it is very rare.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "1039a0e3-9410-4de1-84a2-039c00c61495", "name": "Microsoft Defender Antivirus Signatures Removed With MpCmdRun", "effort": "elementary", "data_sources": ["Windows event logs", "Process command-line parameters", "Process monitoring"], "description": "Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used).", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "7c88bd80-2df5-40d2-8f7f-0b60f185458d", "name": "MMC Spawning Windows Shell", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a Windows command line executable started from MMC process", "attack": ["lateral-movement - Distributed Component Object Model (T1021.003)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "37c8265f-0e4b-47c1-b521-94d242ff39f6", "name": "PowerShell Downgrade Attack", "effort": "elementary", "data_sources": ["PowerShell logs", "Process monitoring", "Process command-line parameters"], "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "04caf5b7-f885-4af8-9aec-fa7de070228c", "name": "Active Directory Shadow Credentials", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer.", "attack": ["credential-access - Modify Authentication Process (T1556)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "87990718-cc8c-4949-9ad5-4d8a9b700098", "name": "MS Office Product Spawning Exe in User Dir", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio. This is a common technique used by attackers with documents embedding macros. It requires Windows command line logging events.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d12fcd50-6c26-48b3-9dcf-52a8e59bf1fb", "name": "Microsoft Defender Antivirus Disable SecurityHealth", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process monitoring", "Process command-line parameters"], "description": "The rule detects attempts to deactivate/disable Windows Defender SecurityHealth through command line, PowerShell scripts, and registry. To fully use this rule Windows Registry logging is recommended.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "002184b5-748e-4ff0-8b6b-d2a74959b81a", "name": "Detection of default Mimikatz banner", "effort": "intermediate", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detection of default Mimikatz banner in powershell events", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "49eef639-909a-4447-94ff-2574ad360e24", "name": "HackTools Suspicious Names", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Quick-win rule to detect the default process names or file names of several HackTools.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "3c305f20-1b2f-465c-b39f-5f9992cd9a80", "name": "Shadow Copies", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects command line used to create and list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104).", "attack": ["discovery - System Information Discovery (T1082)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5fe2818a-9495-49a3-b53f-c7b28b02fc3a", "name": "Suspicious Windows Installer Execution", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server.", "attack": ["stealth - Msiexec (T1218.007)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e3457abd-b1cb-4a9a-9d66-6b62133f8b6c", "name": "Ursnif Registry Key", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects a new registry key created by Ursnif malware. The rule requires to log for Registry Events, which can be done using SYsmon's Event IDs 12,13 and 14.", "attack": ["persistence - Modify Registry (T1112)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "408f96f9-114f-4122-9092-54d10dbb7037", "name": "Webshell Creation", "effort": "master", "data_sources": ["File monitoring"], "description": "Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "CEF", "SentinelOne EDR", "ManageEngine ADAudit Plus", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "043c8c79-3452-44d2-8f21-7b03b8532548", "name": "DNS ServerLevelPluginDll Installation", "effort": "master", "data_sources": ["DLL monitoring", "Process command-line parameters", "Windows event logs", "Windows Registry"], "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Windows Registry or in command line, which can be used to execute code in context of the DNS server (restart required). To fully use this rule, prerequesites are logging for Registry events in the Sysmon configuration (events 12, 13 and 14).", "attack": ["execution - DLL Side-Loading (T1574.002)", "persistence - Modify Registry (T1112)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "eb872e56-27c1-4955-a7e8-e9fd8136541f", "name": "Logonui Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It doesn't only make it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This rule checks if the parent of this process is a legitimate one or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bd714c87-b75e-4132-bb5b-19c2d0cd093d", "name": "Correlation Priv Esc Via Remote Thread", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detect a process that obtains system privilege via a remote thread", "attack": ["privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Stormshield SES", "SentinelOne EDR", "Windows", "Trellix ePO (on-prem)", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "7e72b6ee-668b-437b-8fda-fbc5eb1a3761", "name": "Password Change On Directory Service Restore Mode (DSRM) Account", "effort": "intermediate", "data_sources": ["Authentication logs", "Windows event logs"], "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8a3d85dc-733d-41d0-8e84-6a1d07431715", "name": "DNS Tunnel Technique From MuddyWater", "effort": "elementary", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detecting DNS Tunnel Activity For Muddywater intrusion set. This is the loading of a specific DLL from an Excel macro which is detected.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "8283ef9c-dc67-4416-b8f8-642752b2d55b", "name": "Transferring Files With Credential Data Via Network Shares", "effort": "intermediate", "data_sources": ["File monitoring", "Windows event logs"], "description": "Detects file transfer of sensitive files which contain credential data using network shares.", "attack": ["credential-access - OS Credential Dumping (T1003)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "7139bc94-eded-473b-ba8c-35f9e2fc802a", "name": "DPAPI Domain Backup Key Extraction", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "attack": ["credential-access - LSA Secrets (T1003.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "48ebecd8-4de3-11ec-81d3-0242ac130003", "name": "RDP Session Discovery", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.", "attack": ["discovery - System Owner/User Discovery (T1033)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "b0d73941-2c95-4472-9e19-a9c2055e0139", "name": "Anomaly Secret Store Access", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high access to secrets store folder", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": []}, {"uuid": "b833f0dc-b682-4151-9f75-db2fc16e6e7f", "name": "ISO LNK Infection Chain", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with `host.name`.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "Stormshield SES", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiGate", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Sekoia.io Endpoint Agent", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "f636da47-3165-410e-a86a-b0aadab79be9", "name": "Netsh RDP Port Forwarding", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "d0c8df42-02b4-4a4a-a316-334121cae30c", "name": "Suspicious DLL Loading By Ordinal", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018.", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "e736f8d8-c2c5-41d9-85e4-2dce5ac2c7ee", "name": "WMImplant Hack Tool", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "WMImplant is a powershell framework used by attacker for reconnaissance and exfiltration, this rule attempts to detect WMimplant arguments and invokes commands. ", "attack": ["execution - Windows Management Instrumentation (T1047)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "07f8ec89-1271-4142-9d01-08ea76a071cc", "name": "Suspicious PrinterPorts Creation (CVE-2020-1048)", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects new commands that add new printer port which point to suspicious file", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "862606db-11b4-4cf2-b65d-0ead209ee71f", "name": "New Service Creation", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects creation of a new service from command line", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5a0e7027-440c-46b4-9170-9729b4591a2e", "name": "Gpscript Suspicious Parent", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Gpscript defines GPO scripts for users and applies them to login / logout sessions. This rule checks if the parent of this process is the supposed one (svchost) or not.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "ecdad0a7-c7da-4076-9465-7354ba48c5a6", "name": "WMI Event Subscription", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects creation of WMI event subscription persistence method ", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)"], "intake-formats": ["Elastic Winlogbeat", "Stormshield SES", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "3d6d8bbc-97b4-4daa-b5c4-0687fb836100", "name": "Suspicious DNS Child Process", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious processes spawned by the dns.exe process. It could be a great indication of the exploitation of the DNS RCE bug reported in CVE-2020-1350 (SIGRED).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "2a0d8735-048c-4c95-a564-292bd1c456e1", "name": "PasswordDump SecurityXploded Tool", "effort": "elementary", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects the execution of the PasswordDump SecurityXploded Tool", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "b8c71085-a995-48be-afef-e69afd890fdc", "name": "PowerShell Invoke-Obfuscation Obfuscated IEX Invocation", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework", "attack": ["stealth - Obfuscated Files or Information (T1027)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "7b4dabe9-63e4-4361-8623-f47d96649722", "name": "Hiding Files With Attrib.exe", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects usage of attrib.exe to hide files from users.", "attack": ["stealth - Hidden Files and Directories (T1564.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "0601247b-8773-4b52-9d8c-6d14a46b6323", "name": "Smss Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Smss process was executed by a non-legitimate parent process. Session Manager Subsystem (smss) process is a component of the Microsoft Windows NT family of operating systems.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "ae9621bf-4af2-419e-943d-3b62436feeea", "name": "Change Default File Association", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "attack": ["persistence - Change Default File Association (T1546.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "510ebe48-b546-4f26-af2c-c9f327220efa", "name": "Active Directory Replication User Backdoor", "effort": "intermediate", "data_sources": ["Access tokens", "Windows event logs"], "description": "Backdooring domain object to grant the rights associated with DCSync to regular user or machine account, this technics is often used to give ResetPassword or WriteMembers or DCSync permission(s) for persistency on a domain.", "attack": ["privilege-escalation - Account Manipulation (T1098)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "4d7a9d37-1bd8-4397-96dc-3e7de476e099", "name": "CreateRemoteThread Common Process Injection", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects a possible process injection through CreateRemoteThread() which is spotted by EventID 8 from Sysmon and several EDRs. This rule has a list of process commonly being injected by the attackers that should be updated regularly.", "attack": ["privilege-escalation - Dynamic-link Library Injection (T1055.001)"], "intake-formats": []}, {"uuid": "f56c2457-f1bc-4cc2-87ee-658b76dd2e49", "name": "PowerShell NTFS Alternate Data Stream", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs"], "description": "Detects writing data into NTFS alternate data streams from PowerShell. Needs Script Block Logging (Event ID 4104)", "attack": ["stealth - NTFS File Attributes (T1564.004)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "479a2424-d5b2-4cbd-aca3-bdf30b582165", "name": "OneNote Suspicious Children Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique.", "attack": ["privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Sophos Analysis Threat Center", "Daspren Parad", "Juniper NGFW", "IBM iSeries", "SonicWall Firewall", "Stormshield SES", "CEF", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5044359e-ea46-4329-877b-7f9cbebe2830", "name": "Registry Value Changed Via Windows Run Dialog", "effort": "master", "data_sources": ["Windows Registry", "Process monitoring"], "description": "Detects when a user enters a suspicious url command in the windows run dialog. Could be linked to ClickFix. For this rule, you will need to add auditing permissions to this specific key and enable audit registry.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "244bc594-cfc6-4aee-91f8-3367789a1f5a", "name": "RDP Login From Localhost", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects RDP login from localhost source address, which may be a tunnelled login to bypass network restrictions.", "attack": ["lateral-movement - Remote Desktop Protocol (T1021.001)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "7c552eec-74a6-4981-b410-4fae0f89588f", "name": "Disable .NET ETW Through COMPlus_ETWEnabled", "effort": "intermediate", "data_sources": ["Windows event logs", "Windows Registry", "Process command-line parameters", "Process monitoring", "PowerShell logs"], "description": "Detects potential adversaries stopping ETW providers recording loaded .NET assemblies. Prerequisites are logging for Registry events or logging command line parameters (both is better). Careful for registry events, if SwiftOnSecurity's SYSMON default configuration is used, you will need to update the configuration to include the .NETFramework registry key path. Same issue with Windows 4657 EventID logging, the registry path must be specified.", "attack": ["persistence - Modify Registry (T1112)", "stealth - Disable Windows Event Logging (T1562.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b81512eb-16c7-4ded-9742-206562af6c14", "name": "Exploited CVE-2020-10189 Zoho ManageEngine", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)", "execution - PowerShell (T1059.001)", "execution - Windows Command Shell (T1059.003)"], "intake-formats": ["OCSF", "Trend Micro Vision One OAT [BETA]", "Sekoia.io Endpoint Agent", "Tanium", "WithSecure Elements", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0feaed11-8f2b-43e4-80d2-9578c937f9c5", "name": "Phosphorus (APT35) Exchange Discovery", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about its the environment of compromised Microsoft Exchange servers. The command is the following: Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress |  ft -hidetableheaders", "attack": ["discovery - Email Account (T1087.003)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Windows", "Trend Micro Vision One Workbench Alerts [BETA]", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "4cc8b8e4-8f6e-4b23-b87f-a8dc4b3b9a05", "name": "Suspicious DLL side loading from ProgramData", "effort": "intermediate", "data_sources": ["Loaded DLLs", "DLL monitoring", "Windows event logs"], "description": "Detects suspicious DLL side-loading from C:\\ProgramData where the DLL is not signed.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "0238e3ce-d9f1-4032-a588-2320f7c5cebb", "name": "Suspicious TGS requests (Kerberoasting)", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "The rule aims at detecting the Kerberoasting technique, when an attacker requests TGS in order to crack them offline. Toease its task, the attacker requests tickets with weak encryption (such as RC4_HMAC_MD5). The rule therefore detects when an user is requesting 5 TGS for different users in 5 minutes.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "e63a2bc6-96be-4fd4-8f81-8423240e083b", "name": "Suspicious Hangul Word Processor Child Process", "effort": "elementary", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects suspicious Hangul Word Processor (HWP) child process that could indicate an exploitation as used by the Lazarus APT during the Operation Ghost Puppet (2018). This activity could correspond to a maldoc execution related to a .hwp file. Hangul is a proprietary word processing application that supports the Korean written language.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "execution - Exploitation for Client Execution (T1203)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "dae12807-25a0-4f02-ac05-eb3fa137e5aa", "name": "Security Support Provider (SSP) Added to LSA Configuration", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the addition of a SSP to the registry. This is commonly used for persistence. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. Logging for Registry events is needed for this rule to work (this can be done through Sysmon EventIDs 12 and 13).", "attack": ["privilege-escalation - Security Support Provider (T1547.005)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0469bfe6-471d-44de-a874-3510bded8ee4", "name": "TUN/TAP Driver Installation", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects the installation of the TUN or TAP driver service, this activity could be related to data exfiltration using tunneling techniques. The TUN/TAP Windows Adapter is a network driver that enables some VPN providers to facilitate a VPN connection to their server. TUN/TAP driver is only used by specific VPNs (e.g. OpenVPN, Wireguard), not by thoses based on IKE protocols (e.g. IPsec).", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "340505b2-95dd-43fa-9bca-aac21b41df1d", "name": "Netsh Port Forwarding", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example.", "attack": ["stealth - Disable or Modify System Firewall (T1562.004)", "stealth - Disable or Modify Tools (T1562.001)", "command-and-control - Protocol Tunneling (T1572)", "command-and-control - Internal Proxy (T1090.001)", "exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a9070565-2ee0-456c-b235-34c52f30d89a", "name": "Suspicious File Name", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects suspicious file name possibly linked to malicious tool.", "attack": ["execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Cloudflare Gateway HTTP", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Google Workspace / ChromeOS", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Fortinet FortiProxy", "Tanium", "WithSecure Elements", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "Sophos Analysis Threat Center", "IBM iSeries", "Mimecast Email Security", "SonicWall Firewall", "Palo Alto NGFW", "Proofpoint PoD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Fortinet FortiMail", "Fortinet FortiGate", "ManageEngine ADAudit Plus", "Trellix Advanced Threat Defense", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "BeyondTrust PRA Team [BETA]", "Palo Alto Prisma access", "Postfix", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "7c1f16c7-9684-4490-8939-66086c3f37ba", "name": "Equation Group DLL_U Load", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs", "Loaded DLLs"], "description": "Detects a specific tool and export used by EquationGroup", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "7bff7f0a-c24a-4c56-a197-0574a9880a1a", "name": "SOCKS Tunneling Tool", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. ", "attack": ["command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "353ba22f-f99a-4a77-a7e6-7bde6b0c3a51", "name": "Phorpiex DriveMgr Command", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores \"__\" and the PE name \"DriveMgr.exe\".", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "66987b18-cd6c-47a9-9c3b-5875ee9edadf", "name": "Formbook File Creation DB1", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects specific file creation (Users\\*\\AppData\\Local\\Temp\\DB1) to store data to exfiltrate (Formbook behavior). Logging for Sysmon event 11 is usually used for this detection. ", "attack": ["collection - Data from Local System (T1005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Tanium", "WithSecure Elements", "Kaspersky Endpoint Security", "Palo Alto Cortex XDR (EDR)", "Windows", "SentinelOne EDR", "Daspren Parad", "BeyondTrust PRA Team [BETA]", "TEHTRIS EDR", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "e69bad49-6e8c-4bd8-89e0-2ee45c7009ce", "name": "OneNote Embedded File", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects creation or uses of OneNote embedded files with unusual extensions.  ", "attack": ["stealth - Software Packing (T1027.002)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "Trellix Network Security", "CyberArk Audit Logs", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "CEF", "SentinelOne EDR", "ManageEngine ADAudit Plus", "Kaspersky Endpoint Security", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "One Identity SPS", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "9a75b74f-ce58-4920-82f6-3f15c291596a", "name": "CVE-2017-11882 Microsoft Office Equation Editor Vulnerability", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.", "attack": ["stealth - Rundll32 (T1218.011)"], "intake-formats": ["Cisco NX-OS", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "Stormshield SES", "CEF", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Windows Log Insight", "Microsoft 365 / Office 365", "Postfix", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "101c3203-d492-4294-9603-5b783c89fa7a", "name": "Rubeus Register New Logon Process", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects potential use of Rubeus through registering a new logon process. This rule needs the EventID 4611, which can be configured through Group Policies (Audit Security System Extension)", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "7f75a483-640a-4305-b1e9-e1de971574c0", "name": "Suspicious Microsoft Defender Antivirus Exclusion Command", "effort": "master", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "c5330fb6-1240-4863-a409-4459323ca65a", "name": "Advanced IP Scanner", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "File monitoring"], "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Cybereason EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Systancia Cleanroom", "Bitdefender GravityZone", "Windows Log Insight", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "OCSF", "Claroty xDome", "Daspren Parad", "Juniper NGFW", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "F5 BIG-IP", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "IBM AIX", "Varonis Data Security", "Jumpcloud Directory Insights", "Trellix EPO [ALPHA]", "Azure Activity Logs", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Broadcom/Symantec Endpoint Security", "TEHTRIS EDR", "Watchguard EPDR", "WithSecure Elements", "Google Kubernetes Engine", "IBM iSeries", "Elastic AuditBeat Linux", "Stormshield SES", "Proofpoint PoD", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Palo Alto Cortex XDR (EDR)", "Postfix", "Azure Windows", "NucleonEDR", "CyberArk Audit Logs", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Cisco Secure Web Appliance", "WALLIX Bastion", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Trellix Advanced Threat Defense", "Fortinet FortiGate", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "565e0925-782d-497a-bc84-89eda2f8e7b0", "name": "Successful Brute Force Login From Internet", "effort": "advanced", "data_sources": ["Authentication logs", "Windows event logs"], "description": "Detects a spike of failed login followed by a success one from Internet for a given source and target", "attack": ["credential-access - Brute Force (T1110)", "stealth - Indirect Command Execution (T1202)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "779ed27f-d7e2-446e-8283-91ced486c8a6", "name": "Discovery Commands Correlation", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects some frequent discovery commands used by some ransomware operators.", "attack": ["discovery - Domain Account (T1087.002)", "discovery - System Information Discovery (T1082)", "discovery - System Network Connections Discovery (T1049)", "discovery - System Network Configuration Discovery (T1016)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "IBM iSeries", "WALLIX Bastion", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "SentinelOne EDR", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "IBM AIX", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Trellix EPO [ALPHA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "NucleonEDR"]}, {"uuid": "3a9dbfaa-864f-48ec-8cff-65063fd8086f", "name": "Grabbing Sensitive Hives Via Reg Utility", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials.", "attack": ["credential-access - Security Account Manager (T1003.002)", "credential-access - LSA Secrets (T1003.004)", "credential-access - Cached Domain Credentials (T1003.005)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "1019a802-2bad-4a1f-b9e1-daaac938b8ae", "name": "DNS Server Error Failed Loading The ServerLevelPluginDLL", "effort": "master", "data_sources": ["Windows event logs"], "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded. This requires the dedicated Windows event provider Microsoft-Windows-DNS-Server-Service.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "d2d80d00-b87b-4822-9434-254a3503c8e0", "name": "Domain Group And Permission Enumeration", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "Process use of network", "Process command-line parameters"], "description": "Detects adversaries attempts to find domain-level groups and permission settings. Commands such as net group /domain of the Net utility can list domain-level groups The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Wizard Spider, FIN6, and other groups used net in their campaigns.", "attack": ["discovery - Domain Groups (T1069.002)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "244b4381-9351-4c61-ac43-425c2d2f21aa", "name": "Suspicious Windows Script Execution", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects wscript.exe or cscript.exe executing a script in user directories (C:\\ProgramData or C:\\Users) with a .txt extension, which is very suspicious. It could strongly correspond to a malware dropper, as seen during SquirrelWaffle maldoc campaign.", "attack": ["execution - Command and Scripting Interpreter (T1059)", "execution - Visual Basic (T1059.005)", "execution - JavaScript (T1059.007)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "aa56afe1-cdea-4a08-9083-a9dea8f097cf", "name": "Suspicious Kerberos Ticket", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detect suspicious Kerberos ticket based on on their parameters which suggest that it could be forged.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)", "credential-access - Steal or Forge Authentication Certificates (T1649)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "d62f9d25-1914-44a6-8604-4a99c8baf13c", "name": "Mshta Suspicious Child Process", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring"], "description": "Detects the use of various web request methods executed remotely via Windows PowerShell", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "0aa746ea-2f44-45cf-9747-3e1d180d4b09", "name": "Windows Credential Editor Registry Key", "effort": "elementary", "data_sources": ["Windows event logs", "Windows Registry"], "description": "Detects the use of Windows Credential Editor (WCE). Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13).", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bf9ea197-b5b3-4335-bd78-2d6e7abf9d58", "name": "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded", "effort": "intermediate", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects changes of preferences for Windows Defender through command line or PowerShell scripts. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities.", "attack": ["stealth - Disable or Modify Tools (T1562.001)", "stealth - Deobfuscate/Decode Files or Information (T1140)", "execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "edd2385f-3b00-4198-9889-38de697eac1c", "name": "Malicious Service Installations", "effort": "elementary", "data_sources": ["Process use of network", "Windows event logs"], "description": "Generic and known malicious service installation that appear in cases of lateral movement, credential dumping and other suspicious activity. It detects the use of PAExec, Wannacry commonly used malicious service, APT29 known malicious service name and net user service file name which is known as a sign of persistence.", "attack": ["credential-access - OS Credential Dumping (T1003)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "9297b21b-390e-4da6-aaba-637e772744f1", "name": "Non-Legitimate Executable Using AcceptEula Parameter", "effort": "advanced", "data_sources": ["Process monitoring", "Process command-line parameters", "Windows event logs"], "description": "Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection.", "attack": ["stealth - Masquerading (T1036)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "1166f801-5442-461d-a788-4dc32ece6d10", "name": "Lazarus Loaders", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects different loaders used by the Lazarus Group APT", "attack": ["execution - Windows Command Shell (T1059.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "b6d9bb54-a771-4a78-a8fc-8e31c965b05a", "name": "MSBuild Abuse", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Windows event logs", "Process use of network"], "description": "Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload.", "attack": ["execution - MSBuild (T1127.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "NucleonEDR", "Crowdstrike Falcon Telemetry", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Google Kubernetes Engine", "Stormshield SES", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Trend Micro Vision One OAT [BETA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5603097b-5574-41f3-bede-d882cc772b7a", "name": "Suspicious Cmd File Copy Command To Network Share", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Copy suspicious files through Windows cmd prompt to network share", "attack": ["stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6102214f-76fb-4c2c-9d59-f99c210d4bd4", "name": "Possible Replay Attack", "effort": "master", "data_sources": ["Windows event logs"], "description": "This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.", "attack": ["credential-access - Steal or Forge Kerberos Tickets (T1558)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "55b184b8-694a-4c94-b562-212653236fb5", "name": "Suspicious CommandLine Lsassy Pattern", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects the characteristic lsassy loop used to identify lsass PIDs", "attack": ["credential-access - LSASS Memory (T1003.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "285ce2c5-edc4-4759-9466-250722e72655", "name": "Remote System Discovery Via Telnet", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects use of the protocol telnet to access information.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "013c2feb-a7c6-49e8-bde2-c8d084bc37e3", "name": "Powershell Winlogon Helper DLL", "effort": "master", "data_sources": ["PowerShell logs", "Windows event logs", "Windows Registry"], "description": "Detects modifications to the Winlogon Registry keys, which may cause Winlogon to load and execute malicious DLLs and/or executables.", "attack": ["privilege-escalation - Winlogon Helper DLL (T1547.004)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "Crowdstrike Falcon Telemetry", "BeyondTrust PRA Team [BETA]", "Microsoft Defender XDR (Graph API) [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "4eec26d9-72e2-41a9-a92f-e551dd348cd4", "name": "Suspicious certutil command", "effort": "intermediate", "data_sources": ["Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. ", "attack": ["stealth - Deobfuscate/Decode Files or Information (T1140)", "defense-impairment - Install Root Certificate (T1553.004)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "50aff47a-e906-4825-a9ac-6205e378225b", "name": "DHCP Server Error Failed Loading the CallOut DLL", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded.", "attack": ["execution - DLL Side-Loading (T1574.002)"], "intake-formats": ["ArubaOS Switch", "Keycloak Events", "AWS CloudTrail", "NeroSwarm Honeypot", "OCSF", "Delinea PRA", "WithSecure Elements", "Stormshield SES", "CyberArk Audit Logs", "Windows", "Fortinet FortiGate", "Azure Windows", "Ivanti / Pulse Connect Secure", "Elastic Winlogbeat", "Trellix ePO (on-prem)", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "636a2fc0-d6c6-4dd9-a87f-7f86c20a5163", "name": "Kerberos Pre-Auth Disabled in UAC", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "The rule identify a change performed on a domain user object that disables Kerberos Pre-Authentication", "attack": ["credential-access - AS-REP Roasting (T1558.004)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "6fc9340c-748c-4f20-b1d1-a439058eebb7", "name": "Metasploit PSExec Service Creation", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects Metasploit service creation when using the PSExec module. The ImagePath here is usually a malicious command line using powershell.exe and/or cmd.exe.", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "f16976af-ea10-4655-aef6-970d1aca4276", "name": "Cookies Deletion", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects when cookies are deleted by a suspicious process.", "attack": ["stealth - Indicator Removal (T1070)"], "intake-formats": ["BeyondTrust Privileged Remote Access Session", "Netskope", "Elastic Winlogbeat", "Palo Alto Cortex XDR (EDR)", "CyberArk Audit Logs", "Windows", "BeyondTrust PRA Team [BETA]", "IBM iSeries", "Trend Micro Apex One / Vision One endpoint", "Barracuda CloudGen Firewall", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "430bd854-6cb5-457c-af50-05243ffb1e56", "name": "Suspicious PowerShell Invocations - Generic", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs", "Process command-line parameters"], "description": "Detects suspicious PowerShell invocation command parameters through command line logging or ScriptBlock Logging.", "attack": ["execution - PowerShell (T1059.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6e318b4a-5590-4b3e-9879-42f68a235e9d", "name": "Network Sniffing Windows", "effort": "intermediate", "data_sources": ["File monitoring", "Host network interface", "Process command-line parameters", "Process monitoring", "Process use of network", "Windows event logs"], "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "attack": ["discovery - Network Sniffing (T1040)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "d6953ee3-1ca2-4892-89e2-4d83ec27a4e4", "name": "Taskhost Wrong Parent", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects if the Taskhost process was executed by a non-legitimate parent process. Taskhost is the process of the Windows Task Manager which lists the processes that are currently running on the computer system.", "attack": ["privilege-escalation - Process Injection (T1055)", "privilege-escalation - Windows Service (T1543.003)", "execution - Service Execution (T1569.002)"], "intake-formats": ["SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Tanium", "Stormshield SES", "ESET Protect", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "b0c4fd9d-0274-4fc9-a806-0b24b54ac7cf", "name": "Permission Discovery Via Wmic", "effort": "advanced", "data_sources": ["Windows event logs"], "description": "Detects discovery of permission on local groups via the tool wmic.", "attack": ["discovery - Local Groups (T1069.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "07f5a079-5c40-4ffa-9511-6f57675f6f7d", "name": "PowerShell Data Compressed", "effort": "advanced", "data_sources": ["PowerShell logs", "Windows event logs", "Process command-line parameters"], "description": "Detects data compression through a PowerShell command (could be used by an adversary for exfiltration).", "attack": ["collection - Archive Collected Data (T1560)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "371b49a4-7e11-48e7-b0c7-ab78ef7c6101", "name": "ZIP LNK Infection Chain", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs", "File monitoring"], "description": "Detection of an ZIP download followed by a child-process of explorer, followed by multiple Windows processes.This is widely used as an infection chain mechanism.", "attack": ["execution - Malicious Link (T1204.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Netskope", "ESET Protect", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Google Workspace / ChromeOS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Watchguard EPDR", "Barracuda CloudGen Firewall", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "IBM iSeries", "SonicWall Firewall", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SES", "Zscaler Internet Access", "SentinelOne EDR", "Fortinet FortiGate", "Cisco IOS router and switch", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "SentinelOne Singularity Identity", "IBM AIX", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Varonis Data Security", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Postfix", "Trend Micro Vision One Workbench Alerts [BETA]", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "65b1014b-83be-4f8a-bf55-48faa6e2a474", "name": "CVE-2019-0708 Scan", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects the use of a scanner that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep.", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "655c8218-6a8d-47a4-84c0-07df01bd251e", "name": "New DLL Added To AppCertDlls Registry Key", "effort": "intermediate", "data_sources": ["Windows Registry", "Windows event logs"], "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).", "attack": ["persistence - AppCert DLLs (T1546.009)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "9813039c-83c2-4083-851e-bcb57cf7cc5d", "name": "Computer Account Deleted", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects computer account deletion.", "attack": ["impact - Account Access Removal (T1531)"], "intake-formats": ["Cisco NX-OS", "ExtraHop Reveal(x) 360", "BeyondTrust Privileged Remote Access Session", "NeroSwarm Honeypot", "Kubernetes Audit Log", "Azure Network Watcher [DEPRECATED]", "Azure Network Watcher Flow Logs", "CyberArk Audit Logs", "TEHTRIS EDR", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "BeyondTrust PRA Vault Account Activity [BETA]", "Lacework Cloud Security", "Keycloak Events", "AWS CloudTrail", "OCSF", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Claroty xDome", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Forcepoint Next-Generation Firewall", "Radware DefensePro [Beta]", "Sophos Analysis Threat Center", "RSA SecurID", "IBM iSeries", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Palo Alto NGFW", "Sophos EDR", "Clavister NGFW", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Trellix Advanced Threat Defense", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Trellix ePO (on-prem)", "ArubaOS Switch", "IBM AIX", "Delinea PRA", "WatchGuard Firebox", "Windows Log Insight", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "BeyondTrust PRA Team [BETA]", "Azure Windows", "Check Point NGFW", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "58b64ad1-b954-4ed7-9542-1983b4ec5e2c", "name": "WMI Persistence Script Event Consumer File Write", "effort": "advanced", "data_sources": ["Windows event logs", "Process monitoring", "File monitoring"], "description": "Detects file writes through WMI script event consumer.", "attack": ["persistence - Windows Management Instrumentation Event Subscription (T1546.003)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Sophos Analysis Threat Center", "Daspren Parad", "Juniper NGFW", "IBM iSeries", "SonicWall Firewall", "Stormshield SES", "CEF", "SentinelOne EDR", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "7f215f85-5d0d-465c-9879-dc5ff6511fed", "name": "AutoIt3 Execution From Suspicious Folder", "effort": "advanced", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are \"Program Files\" and \"AppData\\\\Local\". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts.", "attack": ["stealth - Masquerading (T1036)", "execution - Command and Scripting Interpreter (T1059)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "TEHTRIS EDR", "Tanium", "WithSecure Elements", "Daspren Parad", "Stormshield SES", "SentinelOne EDR", "Windows", "Akamai Guardicore On-Prem [BETA]", "Trellix ePO (on-prem)", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Sekoia.io Endpoint Agent", "Trend Micro Vision One OAT [BETA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5f3fa434-5ada-4661-b815-3dcb6456dd0e", "name": "Possible RottenPotato Attack", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects logon events that have characteristics of events generated during an attack leveraging RottenPotato.", "attack": ["collection - Name Resolution Poisoning and SMB Relay (T1557.001)", "privilege-escalation - Access Token Manipulation (T1134)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "f2b63a93-be70-4562-8989-5126833f0f79", "name": "Suspicious Certificate Request-adcs Abuse", "effort": "elementary", "data_sources": ["Windows event logs"], "description": "Detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN)", "attack": ["credential-access - Steal or Forge Authentication Certificates (T1649)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "571c0bd6-0ef3-472a-851a-24776ea7a9db", "name": "Anomaly Possible Sysvol Dump", "effort": "master", "data_sources": ["Windows event logs"], "description": "The rule detects abnormally high access to sysvol files.", "attack": ["reconnaissance - Gather Victim Identity Information (T1589)"], "intake-formats": []}, {"uuid": "e8748497-a10a-40b2-a1d5-8d372c51719a", "name": "Microsoft Office Product Spawning Windows Shell", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detects a Windows command or scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware.", "attack": ["execution - Malicious File (T1204.002)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "064c122c-a76c-11eb-8a85-f0d5bf514442", "name": "Suspicious PsExec Execution", "effort": "master", "data_sources": ["Windows event logs"], "description": "Detects execution of PsExec, different from the Sysinternals one. This rule helps to filter out the noise if PsExec is used for legit purposes or if attacker uses a different PsExec client other than Sysinternals one. The prerequisite is to log the Event ID 5145 (by setting \"Audit Policy > Object Access > Audit Detailed File Share\" to Success/Failure).", "attack": ["execution - Service Execution (T1569.002)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "2c3fb333-6a68-40d7-9ced-dfaa94265187", "name": "Remote Enumeration Of Lateral Movement Groups", "effort": "intermediate", "data_sources": ["Windows event logs"], "description": "Detects remote sessions that list the members of four local groups relevant to lateral movement. This behavior is common in Active Directory mapping tools such as SharpHound. Legitimate Active Directory auditing and monitoring tools (e.g. Varonis, Netwrix) will also be detected, and can by excluded by applying an alert filter on the SID of the service account (user.id).", "attack": ["discovery - Local Account (T1087.001)"], "intake-formats": ["Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "0318eb70-c478-4451-92c6-0f7a3daca373", "name": "MavInject Process Injection", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS)", "attack": ["privilege-escalation - Dynamic-link Library Injection (T1055.001)", "stealth - System Binary Proxy Execution (T1218)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8bc6933a-deee-40f1-9272-3fac9a3015ec", "name": "RDP Configuration File From Mail Process", "effort": "advanced", "data_sources": ["Process command-line parameters", "Windows event logs", "File monitoring"], "description": "Detects RDP configuration file being created or executed by a Mail-related process like Outlook. RDP configuration file will allow, when opened, an user to connect to the configured server easily. Attackers use this to trick victims in order to get a shared drive and potentially retrieve the data from that drive, but also drop a malicious file on the drive to establish persistence. Using RDP can also expose the victim's credential and clipboard data on some cases.", "attack": ["collection - Data from Network Shared Drive (T1039)", "initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Crowdstrike Falcon Telemetry", "OCSF", "Tanium", "Cybereason EDR activity", "Sophos Analysis Threat Center", "Stormshield SES", "SentinelOne EDR", "Windows", "Cisco Secure Firewall", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Azure Windows", "Elastic Winlogbeat"]}, {"uuid": "82a29b6e-65cd-489e-aa1d-9246dc52b9c1", "name": "Njrat Registry Values", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters", "Windows Registry"], "description": "Detects specifis registry values that are related to njRat usage.", "attack": ["privilege-escalation - Boot or Logon Autostart Execution (T1547)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "4a317b95-ae41-42ff-b771-8f0b423b82d7", "name": "Suspicious Mshta Execution From Wmi", "effort": "intermediate", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects mshta executed by wmiprvse as parent. It has been used by TA505 with some malicious documents.", "attack": ["execution - Windows Management Instrumentation (T1047)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Sekoia.io Endpoint Agent", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "c3ff4445-8bc7-4604-af3b-414e60072450", "name": "Microsoft Windows Active Directory Module Commandlets", "effort": "advanced", "data_sources": ["Windows event logs", "PowerShell logs"], "description": "Detects use of commandlets linked to the AD Module.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)"], "intake-formats": ["Trend Micro Vision One OAT [BETA]", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent"]}, {"uuid": "247b7e55-7a51-45ef-bf2a-6bcd535d87e2", "name": "APT29 Fake Google Update Service Install", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring"], "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.", "attack": ["privilege-escalation - Windows Service (T1543.003)"], "intake-formats": ["Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "87bbf0bf-3fdb-4140-8d3c-7e9f7a9e7de9", "name": "SolarWinds Suspicious File Creation", "effort": "intermediate", "data_sources": ["File monitoring", "Process monitoring", "Windows event logs"], "description": "Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is \".exe\", \".ps1\", \".jpg\", \".png\" or \".dll\".", "attack": ["execution - System Services (T1569)"], "intake-formats": ["Cisco NX-OS", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Thinkst Canary", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "SonicWall Firewall", "CEF", "SentinelOne EDR", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Trellix ePO (on-prem)", "Sekoia.io Endpoint Agent", "IBM AIX", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Postfix", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "99b20dcd-c8db-42c7-b00c-a933c580e70a", "name": "Exfiltration Domain In Command Line", "effort": "intermediate", "data_sources": ["Windows event logs", "Process command-line parameters"], "description": "Detects commands containing a domain linked to http exfiltration.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a0eeb810-2a3a-4701-b53d-376f9e3d3a4c", "name": "AdFind Usage", "effort": "elementary", "data_sources": ["Windows event logs", "Process monitoring", "Process command-line parameters"], "description": "Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory.  Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects ", "attack": ["discovery - Domain Trust Discovery (T1482)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "ESET Protect", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "RSA SecurID", "IBM iSeries", "Juniper NGFW", "Citrix NetScaler / ADC", "Elastic AuditBeat Linux", "SonicWall Firewall", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "CEF", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Microsoft 365 / Office 365", "Postfix", "VMware ESXi", "Windows Log Insight", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "74b4dc86-6f16-409a-8234-6da69a7e4996", "name": "Suspicious Cmd.exe Command Line", "effort": "master", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detection on suspicious cmd.exe command line seen being used by some attackers (e.g. Lazarus with Word macros). This requires Windows process command line logging.", "attack": ["execution - Windows Command Shell (T1059.003)", "stealth - Rename Legitimate Utilities (T1036.003)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "3520662c-ca99-49e8-be7a-214922285dc5", "name": "PowerShell AMSI Deactivation Bypass Using .NET Reflection", "effort": "advanced", "data_sources": ["PowerShell logs", "Process command-line parameters", "Process monitoring"], "description": "Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "108ff651-7beb-4f81-860e-15d4aff9caa7", "name": "CMSTP Execution", "effort": "intermediate", "data_sources": ["Process monitoring", "Windows event logs", "Process command-line parameters"], "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "attack": ["execution - CMSTP (T1191)", "stealth - CMSTP (T1218.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "876d4a1b-dd2e-4b2b-9a88-ac1aa08609ba", "name": "ICacls Granting Access To All", "effort": "elementary", "data_sources": ["Process command-line parameters", "Process monitoring", "Windows event logs"], "description": "Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders.", "attack": ["defense-impairment - Windows Permissions (T1222.001)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "5a402e06-6718-4822-92c7-ce379b982f86", "name": "Process Herpaderping", "effort": "master", "data_sources": ["Process monitoring", "Windows event logs"], "description": "Detection of process herpaderping using Sysmon Event ID 25. It detects that an image has been locked for access. Several processes have been excluded to avoid FPs.", "attack": ["privilege-escalation - Process Injection (T1055)"], "intake-formats": ["Azure Windows", "Windows", "Sekoia.io Endpoint Agent"]}, {"uuid": "9ecfad45-391e-4c9d-a8a8-f911dee1182c", "name": "Enable Root Account With Dsenableroot", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when root is enabled. Attackers can use this as a mean of persistence since root is disabled by default.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Cisco NX-OS", "ESET Protect", "Broadcom/Symantec Endpoint Security", "Crowdstrike Falcon Telemetry", "Cybereason EDR", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "Keycloak Events", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Thinkst Canary", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Daspren Parad", "IBM iSeries", "Juniper NGFW", "Elastic AuditBeat Linux", "SonicWall Firewall", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CEF", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "IBM AIX", "Trellix ePO (on-prem)", "Trend Micro Vision One OAT [BETA]", "Jumpcloud Directory Insights", "Azure Activity Logs", "Trellix EPO [ALPHA]", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "VMware ESXi", "Microsoft 365 / Office 365", "Postfix", "Windows Log Insight", "Azure Windows", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "ce6e6b61-d655-4167-af9a-3700eceef4e1", "name": "Tmutil Delete Backups", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is used to delete backups. The Time Machine utility is used to restore data from backups, add or remove exclusions, and compare backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "bc89ae2d-5eee-43ce-a28a-76732bc22541", "name": "Tmutil Exclude File From Backups", "effort": "master", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is used to exclude paths from backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "8e82680d-0612-4c93-a253-597724bdb1a9", "name": "User Added To Admin Group Via Cmd", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects the use of different commands to add a user to an admin group.", "attack": ["initial-access - Local Accounts (T1078.003)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "5d41b34d-e2bd-46ae-b365-dda3b0dbc7c5", "name": "Tmutil Disabled", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects when the utility tmutil is disabled. The Time Machine utility is used to restore data from backups, add or remove exclusions, and compare backups.", "attack": ["impact - Inhibit System Recovery (T1490)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "a2f8ef99-04a2-431b-be6e-03cc8ff5f918", "name": "Attempt to Disable Gatekeeper Execution Control", "effort": "elementary", "data_sources": ["Process command-line parameters"], "description": "Detects attempts to disable Gatekeeper through the command line. Gatekeeper is a macOS feature designed to ensure that only trusted, signed software can be executed.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "016fc894-f655-429c-9739-88c2f2e57f2b", "name": "Startup Item Created", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects when a item is added to the startup directory. An attacker can use this establish persistence.", "attack": ["privilege-escalation - Startup Items (T1037.005)"], "intake-formats": ["Cisco NX-OS", "BeyondTrust Privileged Remote Access Session", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "Google Kubernetes Engine", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Juniper NGFW", "Elastic AuditBeat Linux", "Citrix NetScaler / ADC", "WALLIX Bastion", "Trellix EDR [ALPHA]", "Stormshield SES", "Trend Micro Apex One / Vision One endpoint", "CyberArk Digital Vault", "SentinelOne EDR", "Stormshield SNS", "F5 BIG-IP", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "One Identity SPS", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]", "Azure Windows", "NucleonEDR", "Elastic Winlogbeat"]}, {"uuid": "6114a31f-b55c-4ba1-8372-c5f0f306e901", "name": "Generic Password Discovery", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects when the security utility is used to access passwords in a keychain.", "attack": ["credential-access - Keychain (T1555.001)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Tanium", "Cybereason EDR activity", "Stormshield SES", "Azure Activity Logs", "CrowdStrike Falcon", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Windows", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "10f07542-71ae-46af-b178-6ca89e53e4a2", "name": "Potential macOS SSH Brute Force Detected", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects a potential ssh bruteforce to gain access to accounts.", "attack": ["lateral-movement - SSH Hijacking (T1563.001)"], "intake-formats": ["SentinelOne Singularity Identity", "OCSF", "Tanium", "Cybereason EDR activity", "ESET Protect", "Stormshield SES", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Sophos Analysis Threat Center", "Windows", "SentinelOne EDR", "Crowdstrike Falcon Telemetry", "Azure Windows", "Elastic Winlogbeat", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "bff04587-6551-4e84-9ad9-eb11a56a2fdf", "name": "Chflags Hidden", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects the use of the hidden flag by the utility chflags to hide files and directories.", "attack": ["stealth - Hidden Files and Directories (T1564.001)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "0e3e928b-8f0d-4cc8-830f-d0a2267c4c8c", "name": "AppleScript Password Prompt", "effort": "advanced", "data_sources": ["Process command-line parameters"], "description": "Detects when a prompt is displayed to gain credentials. This technique is used by MacOS malware to obtain the user's password.", "attack": ["credential-access - Input Capture (T1056)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "07b34666-caa5-4af1-a4da-57b0332339ea", "name": "Dscl Authonly", "effort": "advanced", "data_sources": ["Process command-line parameters", "Process monitoring"], "description": "Detects the use of the command dscl with authonly used to verify the password of a user and for authentification. An attacker can abuse this command to gain credentials.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "TEHTRIS EDR", "Barracuda CloudGen Firewall", "Trend Micro Cloud One / Deep Security", "OCSF", "Tanium", "WithSecure Elements", "Cybereason EDR activity", "VMware vCenter", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "Juniper NGFW", "Elastic AuditBeat Linux", "Trellix EDR [ALPHA]", "Stormshield SES", "SentinelOne EDR", "Stormshield SNS", "Cisco IOS router and switch", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "IBM AIX", "Trend Micro Vision One OAT [BETA]", "Azure Activity Logs", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "SentinelOne Cloud Funnel 2.0", "Azure Windows", "Trend Micro Apex One / Vision One endpoint", "Elastic Winlogbeat"]}, {"uuid": "75b26c09-92bb-43d5-9343-0aaf00435df0", "name": "Trellix Network Security Threat Blocked", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Trellix Network Security has detected a malicious traffic and blocked it.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Trellix Network Security"]}, {"uuid": "b85716b1-5933-456a-8191-88908b276cd8", "name": "Rubycat PROVEIT Admin Service Modified", "effort": "master", "data_sources": ["Authentication logs"], "description": "Rubycat PROVEIT has detected a service modification that could require some review if not expected.", "attack": ["stealth - Disable or Modify Tools (T1562.001)"], "intake-formats": ["Rubycat PROVE IT"]}, {"uuid": "d5e87475-6ba3-43ba-bce2-1551fabd39b1", "name": "Login Brute-Force Successful On ArubaOS Switch", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on ArubaOS switch and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["ArubaOS Switch"]}, {"uuid": "6741888d-e18e-4832-ae91-5bf056650e51", "name": "Suspicious URI Used In A Lazarus Campaign", "effort": "intermediate", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.", "attack": ["command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "805503bb-f27e-4f14-9465-710bec10abfd", "name": "Cobalt Strike HTTP Default GET beaconing", "effort": "advanced", "data_sources": ["Network device logs", "Packet capture"], "description": "Detects GET HTTP queries from known Cobalt Strike beacons (source code 4.3)", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Suricata", "Zscaler Internet Access", "Cisco Secure Web Appliance", "Salesforce", "Zscaler Private Access [BETA]", "VMware vCenter", "Cisco Umbrella Proxy", "Azure Front Door", "Squid", "Apache HTTP Server", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 BIG-IP", "F5 NGINX", "Cisco Secure Firewall", "HAProxy", "Olfeo SAAS"]}, {"uuid": "6af26887-a4be-4b6f-9ea5-9750decf1025", "name": "LokiBot Default C2 URL", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects default C2 URL for trojan LokiBot", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "50eb4477-d9df-4897-8eb3-aec6ca72267c", "name": "TOR Usage Generic Rule", "effort": "master", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs"], "description": "Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "7daf89fd-56b5-4476-a606-e51b9c74537c", "name": "Correlation Fortigate Multi Alert From One Internal Ip", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "This rule detect an internal asset that targets a destination IP address with several threat", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "de878945-be98-4cab-821e-56da38da38f7", "name": "Cato Networks SASE High Risk Alert", "effort": "master", "data_sources": ["Application logs"], "description": "Cato Networks SASE intrusion detection has detected a high risk alert.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Cato Networks SASE"]}, {"uuid": "e4f2d8ee-ec9e-4e69-a1ec-9ec94b506978", "name": "CVE-2021-41773 Apache 2.4.49 Path Traversal", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects successful exploitation of the Apache Path Traversal CVE-2021-41773.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "AWS WAF"]}, {"uuid": "e7bcb8c8-54a6-41b0-b7b9-9b2387b5f775", "name": "TOR Usage", "effort": "master", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs"], "description": "Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["NeroSwarm Honeypot", "Seckiot Citadelle", "Trellix Network Security", "Ekinops OneOS", "Broadcom/Symantec Endpoint Security", "NucleonEDR", "AWS GuardDuty", "Squid", "Barracuda CloudGen Firewall", "Juniper Networks Switches", "Cisco Secure Web Appliance", "Nozomi CMC", "OpenBSD Packet Filter / OPNSense / PfSense", "Ivanti / Pulse Connect Secure", "Nozomi Vantage", "Palo Alto NGFW", "Clavister NGFW", "Jizo AI / Sesame it NDR", "Stormshield SES", "Gatewatcher AionIQ V103", "FreeRADIUS", "Stormshield SNS", "Fortinet FortiGate", "Cloudflare Gateway Network", "F5 BIG-IP", "Cato Networks SASE", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Windows", "Netfilter", "Delinea PRA", "Sophos Firewall", "Suricata", "WatchGuard Firebox", "Infoblox DDI", "Cloudflare Gateway DNS", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Azure Windows", "Check Point NGFW", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "9128bd5c-90c0-4d1b-ac2d-a44a8e89e989", "name": "Cryptomining", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detection of domain names potentially related to cryptomining activities.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "de6d933d-4a96-4b24-8df2-e768dc678825", "name": "Suspicious URL Requested By Curl Or Wget Commands", "effort": "advanced", "data_sources": ["Web proxy", "Web application firewall logs", "Process monitoring", "Process command-line parameters"], "description": "Correlation rule aiming to be multi-source to detect URL with suspicious files extensions (seen on a network level by proxies or firewalls) being requested by curl or wget processes (seen on a host level).", "attack": ["persistence - Cloud Account (T1136.003)"], "intake-formats": ["F5 BIG-IP", "Windows", "OCSF", "Zscaler Internet Access"]}, {"uuid": "41422dfa-7de5-4552-ada8-22981eb2a30c", "name": "Login Brute-Force On Fortinet Firewall From Internet", "effort": "advanced", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Detects successful access to administration console of a firewall after several failure from Internet.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "919d97e6-9804-4360-a209-4e51c514e0fb", "name": "ESET Protect Intrusion Detection", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when the solution ESET Protect detects an intrusion.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["ESET Protect"]}, {"uuid": "4f69a6ad-5e24-4756-b56e-c95704dccade", "name": "Cloudflare Gateway DNS Query Allowed to Malicious Domain", "effort": "master", "data_sources": ["DNS records"], "description": "A DNS query to a domain categorized by Cloudflare Gateway as malicious was allowed because no blocking policy is configured.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway DNS"]}, {"uuid": "dd1d4c5e-33ae-4936-88fa-479754f6a085", "name": "Anomaly Internal Ping", "effort": "master", "data_sources": ["Network intrusion detection system", "Network device logs"], "description": "Detects internal ping with uncomplete connection on internal network.", "attack": ["discovery - Remote System Discovery (T1018)"], "intake-formats": []}, {"uuid": "d1e2d36c-71f0-4af0-995b-bd9813d14e0c", "name": "Fortigate Firewall Login In Failure", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Network protocol analysis", "Packet capture"], "description": "Detects failed login attemps on firewall administration rule. Prerequisites, check that the firewall logs format corresponds to the rule", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "65be743f-38b6-4d7f-b415-4baf3d0837c5", "name": "Broadcom Edge Secure Web Gateway Anomaly TCP Denied", "effort": "master", "data_sources": ["Network protocol analysis"], "description": "Detects a high number of connection TCP denied.", "attack": ["discovery - System Network Connections Discovery (T1049)"], "intake-formats": []}, {"uuid": "54d564a9-b0e2-4631-b156-c36a5db07b9b", "name": "Cisco Identity Services Engine Configuration Changed", "effort": "master", "data_sources": ["Network device configuration"], "description": "Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.", "attack": ["resource-development - Email Accounts (T1586.002)"], "intake-formats": ["Cisco ISE"]}, {"uuid": "90d03042-9b00-4d1f-a83d-81539a0f2552", "name": "ProxyShell Microsoft Exchange Suspicious Paths", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs", "Web logs"], "description": "Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "8fb8c59d-b4a0-425b-9773-73819b82d657", "name": "Spearphishing (Lawyer Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with lawyer fraud thematic. Impersonation of lawyers and lawyers' firms. The main goal is to make sure the victims will not raise awareness around them. Confidentiality restrictions are implied.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "1842fa22-e990-4be7-90ae-daafc8540147", "name": "CVE-2021-20023 SonicWall Arbitrary File Read", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.", "attack": ["collection - Data Staged (T1074)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "b99f6469-d40d-4765-a608-00aafe4d95ee", "name": "ESET Protect Malware", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when Eset Protect tagged an event as linked to a malware with infected files.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["ESET Protect"]}, {"uuid": "c5e347d4-aaa3-457a-af50-514d1f09d568", "name": "Potential Lemon Duck User-Agent", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example \"User-Agent: Lemon-Duck-[A-Z]-[A-Z]\".", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "GraphAPI for Microsoft Entra ID / Azure AD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "Wiz Audit Logs", "Cato Networks SASE", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "Delinea PRA", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "OCSF", "AWS CloudTrail", "Github Audit logs", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Apache HTTP Server", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Cloudflare HTTP requests", "OGO WAF", "Sophos Firewall", "MokN - Baits", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "Proofpoint TAP", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Google Cloud Audit Logs", "Azure Files", "Okta", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "SonicWall Firewall", "Fortinet FortiWeb", "Fortinet FortiGate", "HAProxy", "VMware ESXi"]}, {"uuid": "6dcbcfa6-67cd-4138-ac9f-f3acd5971670", "name": "Detect requests to Konni C2 servers", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "b191cb21-904e-4c50-b628-79d396101f44", "name": "Cisco Umbrella Threat Detected", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy", "DNS records"], "description": "Cisco Umbrella has detected a malicious traffic categorized as malware, phishing or adware.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Cisco Umbrella DNS", "Sekoia.io Endpoint Agent"]}, {"uuid": "79605045-3cf7-4d45-936a-c1f9e254c911", "name": "Potential Bazar Loader User-Agents", "effort": "elementary", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Detects potential Bazar loader communications through the user-agent", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "GraphAPI for Microsoft Entra ID / Azure AD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "Wiz Audit Logs", "Cato Networks SASE", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "Delinea PRA", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "OCSF", "AWS CloudTrail", "Github Audit logs", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Apache HTTP Server", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Cloudflare HTTP requests", "OGO WAF", "Sophos Firewall", "MokN - Baits", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "Proofpoint TAP", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Google Cloud Audit Logs", "Azure Files", "Okta", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "SonicWall Firewall", "Fortinet FortiWeb", "Fortinet FortiGate", "HAProxy", "VMware ESXi"]}, {"uuid": "198e1cd6-d997-43ce-a2c7-7e586b756d46", "name": "Phishing Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a phishing attempt from an email that is not whitelisted and didn't move the email to the junk folder.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)", "initial-access - Spearphishing via Service (T1566.003)"], "intake-formats": ["Vade for M365"]}, {"uuid": "2fe88e90-a559-4f05-a56d-3142a85e5cbf", "name": "Fortigate IPS Critical Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Fortigate intrusion detection alert with critical severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "0f3494de-d213-4cc9-b8be-0941107728fd", "name": "Anomaly Internal Port Connection", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects multiple scan of different ports on internal network.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": []}, {"uuid": "52388852-48db-4b7f-9217-194fcaccbd4f", "name": "Spearphishing (W2 Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with W2 fraud thematic. Executive or HR impersonation phishing for social security numbers or tax identification numbers. Collected data are generally used for identity theft schemes.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "e7be0f85-b8fd-497a-85d2-3719ea2ac2cb", "name": "Broadcom Edge Secure Web Gateway High Threat", "effort": "master", "data_sources": ["Network protocol analysis"], "description": "Detects when a high threat is detected by Broadcom Edge Secure Web Gateway.", "attack": ["initial-access - Valid Accounts (T1078)"], "intake-formats": ["Broadcom Edge Secure Web Gateway"]}, {"uuid": "0e57941d-39da-45f5-9c29-fd58ecfb5d46", "name": "Outgoing Bytes Peak", "effort": "advanced", "data_sources": ["Authentication logs", "Web application firewall logs", "Network protocol analysis", "Packet capture"], "description": "Spots outgoing bytes traffic peak to detect a data exfiltration.", "attack": ["exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": []}, {"uuid": "2617c004-5564-44f7-92aa-caf2822b04f4", "name": "Cobalt Strike HTTP Default POST Beaconing", "effort": "advanced", "data_sources": ["Network device logs", "Packet capture"], "description": "Detects POST HTTP queries from known Cobalt Strike beacons (source code 4.3)", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Suricata", "Zscaler Internet Access", "Cisco Secure Web Appliance", "Salesforce", "Zscaler Private Access [BETA]", "VMware vCenter", "Cisco Umbrella Proxy", "Azure Front Door", "Squid", "Apache HTTP Server", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 BIG-IP", "F5 NGINX", "Cisco Secure Firewall", "HAProxy", "Olfeo SAAS"]}, {"uuid": "bc988d38-a607-4cd6-b750-5c847f9b80ff", "name": "Authentication Impossible Travel", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects impossible travel when performing authentication from a source IP address, grouped by user name. This could require some alert filtering for some user generic accounts, and known IP address range. Microsoft / Office 365 format is not covered by this rule.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Zscaler Private Access [BETA]", "GraphAPI for Microsoft Entra ID / Azure AD"]}, {"uuid": "47ecbf6c-4755-49f2-909e-5edbb6be9273", "name": "Spearphishing (CEO Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with CEO fraud thematic. Impersonation of CEO or senior management members requesting urgent money transfer, usually on an unknown RIB.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "abb4d036-6401-45d7-bb27-46a39d360ea1", "name": "Cobalt Strike DNS Beaconing", "effort": "advanced", "data_sources": ["DNS records", "Network device logs", "Packet capture"], "description": "Detects suspicious DNS queries known from Cobalt Strike beacons. The threshold is more than 50 suspicious DNS requests to avoid false positives.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["EfficientIP SOLIDServer DDI", "OCSF", "Suricata", "Zscaler Internet Access", "Infoblox DDI", "Cloudflare Gateway DNS", "Gatewatcher AionIQ v102", "Crowdstrike Falcon Telemetry", "BIND", "Cisco Umbrella DNS", "Fortinet FortiGate", "Unbound", "HarfangLab EDR"]}, {"uuid": "c66b5406-665f-4d6c-8f4f-93d9fa986d1a", "name": "CVE-2020-0688 Microsoft Exchange Server Exploit", "effort": "elementary", "data_sources": ["Packet capture", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "5857d57c-01a9-418c-9587-59cf193c29cb", "name": "Brute Force WALLIX Bastion", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects a successful login after many failed attempts by the same user.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["WALLIX Bastion"]}, {"uuid": "2e9ce1aa-1fb1-4094-a58f-c0e59e272125", "name": "Cyberwatch Detection Critical Vulnerability", "effort": "master", "data_sources": ["Asset management"], "description": "Cyberwatch Detection has detected an asset with a critical vulnerability ", "attack": ["resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["Cyberwatch Detection"]}, {"uuid": "3b4380f2-a7dd-4fd4-9157-b9fd250d6b43", "name": "Retarus Email Security Threat Detected (Sandboxing)", "effort": "elementary", "data_sources": ["Email gateway"], "description": "Sandboxing alerts detected by Retarus Email Security. Sandboxing subjects specific file attachments to an in-depth analysis. Retarus uses a sandboxing solution from the specialized and highly respected third-party provider Palo Alto Networks for this advanced threat assessment. Emails identified as infected are either deleted or quarantined, and the intended recipient is notified.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "501ad68f-28c5-4e86-acf1-e00090c7dec6", "name": "ExtraHop Reveal(x) 360 Intrusion Detection High Severity", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "ExtraHop Reveal(x) 360 raised an intrusion detection alert with high severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["ExtraHop Reveal(x) 360"]}, {"uuid": "b4e8a0e8-7805-4d88-9b6a-3c2d85cd6488", "name": "Systancia Cleanroom Brute Force", "effort": "master", "data_sources": ["Application logs"], "description": "Detects a successful brute force attempt to access systancia cleanroom web portal.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["Systancia Cleanroom"]}, {"uuid": "89da661c-e033-402f-99c6-54774aec1a57", "name": "Zscaler Internet Access Data Exfiltration", "effort": "master", "data_sources": ["Network device logs"], "description": "Detects request of 100000000 bytes or more from Zscaler Internet Access monitored hosts.", "attack": ["exfiltration - Exfiltration Over Other Network Medium (T1011)"], "intake-formats": []}, {"uuid": "8cd8c382-d07d-4890-bc9c-7b69a161eb1b", "name": "Download Files From Suspicious TLDs", "effort": "master", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "Detects download of certain file types from hosts in suspicious TLDs", "attack": ["initial-access - Phishing (T1566)", "execution - Exploitation for Client Execution (T1203)", "execution - User Execution (T1204)", "execution - Malicious Link (T1204.001)", "execution - Malicious File (T1204.002)"], "intake-formats": ["OCSF", "Cisco ESA", "Fortinet FortiProxy", "Netskope", "Broadcom Edge Secure Web Gateway", "Suricata", "Imperva WAF", "Zscaler Internet Access", "Zscaler Private Access [BETA]", "Bitdefender GravityZone", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 BIG-IP", "F5 NGINX", "Windows", "Citrix NetScaler / ADC", "Ubika WAAP Gateway", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "5a682e9b-a480-4f66-a3cd-1022dd2b85d6", "name": "Anomaly Internal RDP", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects uncompleted attempts to connect to a Remote Desktop Protocol (RDP) session.", "attack": ["discovery - System Service Discovery (T1007)"], "intake-formats": []}, {"uuid": "32d37ad6-c0c9-4f7b-842b-8e27faeccc68", "name": "ESET Protect Remote Action", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when different remote commands are performed on the same hostname is a short amount of time.", "attack": ["lateral-movement - Exploitation of Remote Services (T1210)"], "intake-formats": ["ESET Protect"]}, {"uuid": "2ad46415-48b6-4bfd-899d-7b936375a0e3", "name": "Exfiltration Domain", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects traffic toward a domain flagged as a possible exfiltration vector.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "exfiltration - Exfiltration Over Web Service (T1567)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "cf7df53d-b5a9-40d5-9c10-759907315f5b", "name": "Bazar Loader DGA (Domain Generation Algorithm)", "effort": "elementary", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Detects Bazar Loader domains based on the Bazar Loader DGA", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Cisco ESA", "Netskope", "Broadcom Edge Secure Web Gateway", "Trapster (by Ballpoint) [BETA]", "Zscaler Private Access [BETA]", "Crowdstrike Falcon Telemetry", "Netskope Transaction Events with AWS S3", "Cloudflare DNS logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Barracuda CloudGen Firewall", "Broadcom Cloud Secure Web Gateway", "Cisco Catalyst SD-WAN", "Akamai WAF", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Cloudflare Access Requests", "Tanium", "Imperva WAF", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Cisco Umbrella DNS", "F5 NGINX", "Unbound", "Citrix NetScaler / ADC", "Cloudflare WAF events", "Fortinet FortiWeb", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "Stormshield SNS", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "EfficientIP SOLIDServer DDI", "Ubika Cloud Protector Next Generation Alerts", "Aleph Alerts [BETA]", "MokN - Baits", "Suricata", "WatchGuard Firebox", "Palo Alto Cortex XDR (EDR)", "Bitdefender GravityZone", "Infoblox DDI", "Cloudflare Gateway DNS", "SentinelOne Cloud Funnel 2.0", "Gatewatcher AionIQ v102", "BIND", "Azure Windows", "Bitsight SPM", "Elastic Winlogbeat"]}, {"uuid": "e234c840-1617-4d46-a71f-78408e0c6c3b", "name": "Phishing Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a phishing attempt.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)", "initial-access - Spearphishing via Service (T1566.003)"], "intake-formats": ["Vade for M365"]}, {"uuid": "ad65c510-a673-4374-9d57-1bdd70ceb5db", "name": "Spam Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a spam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "d8f47077-6dd5-466d-b876-95f5b9cd0bf5", "name": "Cloudflare Gateway DNS Query Blocked to Malicious Domain", "effort": "master", "data_sources": ["DNS records"], "description": "A DNS query to a domain categorized by Cloudflare Gateway as malicious was blocked by policy.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway DNS"]}, {"uuid": "dd32dc5a-5953-4b2f-a7d2-17fb0d442825", "name": "Spearphishing (Initial Contact Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spearphishing attempt with initial contact fraud thematic. Do not contains any malicious content or specific actions other than a request to reply to the email. \u201cAre you available?\u201d. The main goal is to incite a reply that could register the sending address as a known and legitimate address.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "ff408161-d546-4b99-97ff-68c520b3c050", "name": "Nimbo-C2 User Agent", "effort": "intermediate", "data_sources": ["Web application firewall logs", "Web proxy", "Packet capture", "Web logs"], "description": "Nimbo-C2 Uses an unusual User-Agent format in its implants.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "GraphAPI for Microsoft Entra ID / Azure AD", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "Wiz Audit Logs", "Cato Networks SASE", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "Delinea PRA", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "OCSF", "AWS CloudTrail", "Github Audit logs", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Apache HTTP Server", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Cloudflare HTTP requests", "OGO WAF", "Sophos Firewall", "MokN - Baits", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "Proofpoint TAP", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Google Cloud Audit Logs", "Azure Files", "Okta", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "SonicWall Firewall", "Fortinet FortiWeb", "Fortinet FortiGate", "HAProxy", "VMware ESXi"]}, {"uuid": "cc36e8db-ceb4-453b-ad75-f0ff8fbed493", "name": "Login Brute-Force Successful On Rubycat PROVE IT", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) through Rubycat PROVE IT protected devices and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": []}, {"uuid": "5a3e7aa0-8826-4231-a0b9-eadcb7c06db9", "name": "EfficientIP SOLIDServer Suspicious Behavior", "effort": "master", "data_sources": ["DNS records", "Network device logs"], "description": "Detects when EfficientIP SOLIDServer forwards a suspicious behavior related to an IP.", "attack": ["execution - User Execution (T1204)"], "intake-formats": ["EfficientIP SOLIDServer DDI"]}, {"uuid": "81a998b2-5207-4909-b88b-a6e73e144962", "name": "1Password EPM Brute Force", "effort": "master", "data_sources": ["Authentication logs"], "description": "Detects multiple failed login followed by a success from the same user.", "attack": ["credential-access - Brute Force (T1110)"], "intake-formats": ["1Password EPM"]}, {"uuid": "3bab8078-be30-406a-ad16-c2019930bba1", "name": "Forcepoint Secure Web Gateway Malicious Websites", "effort": "master", "data_sources": ["Web proxy"], "description": "Forcepoint Secure Web Gateway has detected an access to an IP/domain tagged as malicious. Even if it has been blocked, it could be interesting to investigate the source asset.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": []}, {"uuid": "3fed75bd-3402-4a2d-b9b3-1a438ed3fc58", "name": "CVE-2021-26855 Exchange SSRF", "effort": "advanced", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web application firewall logs", "Web logs"], "description": "Detects the exploitation of ProyxLogon vulerability on Exchange servers.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "2613edbf-cb8d-4156-9b93-faf213af6f15", "name": "CVE-2020-5902 F5 BIG-IP Exploitation Attempts", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "a653c3a6-88f7-4c48-906a-073650e02e77", "name": "Netskope Successful Brute Force On Protected Applications", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects successful brute force on Netskope protected applications after more than 5 failures in 5 minutes and one success for the same user name and application.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "1e20617f-298e-4956-8e90-cb77b936a317", "name": "Sliver DNS Beaconing", "effort": "intermediate", "data_sources": ["DNS records", "Network device logs", "Packet capture", "Windows event logs"], "description": "Detects suspicious DNS queries known from Sliver beaconing ", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Broadcom Edge Secure Web Gateway", "Crowdstrike Falcon Telemetry", "Cloudflare DNS logs", "Barracuda CloudGen Firewall", "Broadcom Cloud Secure Web Gateway", "OCSF", "Tanium", "Cisco Umbrella DNS", "Unbound", "Zscaler Internet Access", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "Windows", "HarfangLab EDR", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "Suricata", "WatchGuard Firebox", "Palo Alto Cortex XDR (EDR)", "SentinelOne Cloud Funnel 2.0", "Infoblox DDI", "Cloudflare Gateway DNS", "Gatewatcher AionIQ v102", "BIND", "Azure Windows", "Elastic Winlogbeat"]}, {"uuid": "7d30918c-c12d-456b-9e52-b843891ff1c4", "name": "Download File On Cloud Storage Through Command Line", "effort": "intermediate", "data_sources": ["Process command-line parameters"], "description": "Detects commonly used commands like curl or wget used to download files on a Cloud Storage URL like a Google Drive URL.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["OCSF", "Palo Alto Cortex XDR (EDR)", "Crowdstrike Falcon Telemetry", "Stormshield SNS", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Windows", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "62844398-7b39-11eb-9439-0242ac130002", "name": "CVE-2021-21972 VMware vCenter", "effort": "intermediate", "data_sources": ["Web logs", "Web application firewall logs", "Web proxy", "Packet capture"], "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH \"/ui/vropspluginui/rest/services/uploadova\". If in response body (500) the words it has \"uploadFile\", that means the vCenter is available to accept files via POST without any restrictions.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "ee13f15c-a65e-4a35-95b8-5db8171a9c94", "name": "1Password EPM Grant Access Vault", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when a group is granted access to a 1Password vault.", "attack": ["credential-access - Credentials from Password Stores (T1555)"], "intake-formats": ["1Password EPM"]}, {"uuid": "07fbd0f1-c11f-43f3-a024-9df7826eca75", "name": "Netskope Potential Brute Force On Protected Applications", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects potential brute force on Netskope protected applications with more than 10 failures in 5 minutes for the same user name and application.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "76be6bb8-1ba6-4fbc-a45a-db7c58a127e6", "name": "CVE-2020-14882 Oracle WebLogic Server", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "2f3b3e50-44a6-412a-8d64-b0c8ffb9461b", "name": "CVE-2019-2725 Oracle Weblogic Exploit", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the successful exploitation of a deserialization vulnerability in Oracle Weblogic Server, CVE-2019-2725. This vulnerability affects versions 10.X and 12.1.3 of WebLogic that have the components wls9_async_response.war and wls-wsat.war enabled. It is a remote code execution which can be exploited without authentication via HTTP. An HTTP response status code = 202, means the target is vulnerable, the analyst then has to look in depth to check if a webshell has been uploaded or something else has been done.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "042414b0-f364-4f01-b668-a3e2ad8e3261", "name": "Forcepoint Secure Web Gateway Compromised Websites", "effort": "master", "data_sources": ["Web proxy"], "description": "Forcepoint Secure Web Gateway has detected an access to an IP/domain tagged as compromised. Even if it has been blocked, it could be interesting to investigate the source asset.", "attack": ["exfiltration - Exfiltration Over C2 Channel (T1041)"], "intake-formats": []}, {"uuid": "2c4eb091-dd5e-4588-90e5-feff1c4530ae", "name": "CVE-2021-34473 ProxyShell Attempt", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects CVE-2021-34473 ProxyShell attempt against Microsoft Exchange Server, Remote Code Execution Vulnerability.", "attack": ["persistence - Web Shell (T1505.003)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "AWS WAF"]}, {"uuid": "5f64d7e1-f726-468e-8eb7-ca394b8c011f", "name": "CVE-2018-11776 Apache Struts2", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "a3b336de-05ed-463e-8b3f-c8940415adf6", "name": "Suspicious Download Links From Legitimate Services", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.", "attack": ["initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "8ddec30d-3bed-4b8c-b7d8-d19b29aa88c5", "name": "Remote Access Tool Domain", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).", "attack": ["command-and-control - Remote Access Tools (T1219)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "8b59cfb4-ee83-48f3-8d0a-dcf234c5682b", "name": "Koadic MSHTML Command", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects Koadic payload using MSHTML module", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "WatchGuard Firebox", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Kubernetes Audit Log", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Microsoft IIS", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Stormshield SNS", "Apache HTTP Server", "PRODAFT USTA Cyber Threat Intelligence Platform", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Cloudflare HTTP requests", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiWeb", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "28ea5da5-c2e5-45ce-97ef-f7c3a7d0e3ce", "name": "Loss Of Parsing", "effort": "master", "data_sources": ["Application logs", "Data loss prevention", "Web logs", "Packet capture"], "description": "Spots the loss of events parsing by Sekoia.io, could indicate a loss of valid events flow. The strategy is to focus on less frequent event to limit the impact of the skewness in the count distribution law.", "attack": ["stealth - Impair Defenses (T1562)", "stealth - Disable or Modify Cloud Logs (T1562.008)", "defense-impairment - Network Boundary Bridging (T1599)"], "intake-formats": []}, {"uuid": "1578c01b-490d-4e99-8579-4553d3e76067", "name": "Retarus Email Security Threat Detected (MultiScan)", "effort": "intermediate", "data_sources": ["Email gateway"], "description": "Antivirus MultiScan alerts detected by Retarus Email Security. AntiVirus MultiScan automatically scans incoming and outgoing emails and file attachments for viruses with up to four virus scanners and uses heuristic analysis to protect from unknown malware.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "bfc2e7cc-a829-4ead-9688-1b0ed420e6dd", "name": "GitLab CVE-2021-22205", "effort": "intermediate", "data_sources": ["Network device logs", "Packet capture", "Windows event logs"], "description": "Detects GitLab vulnerability CVE-2021-22205 exploitation success. It allows an attacker to do some remote code execution with user git. The HTTP return code 422 indicates a successfull exploitation.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "Windows", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Sekoia.io Endpoint Agent", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "AWS WAF"]}, {"uuid": "dd6116e5-2277-4f39-96b1-fc7d9b72cd45", "name": "FreeRADIUS Failed Authentication", "effort": "advanced", "data_sources": ["Network device logs", "Authentication logs"], "description": "A failed authentication was logged by FreeRADIUS ", "attack": ["credential-access - Password Guessing (T1110.001)"], "intake-formats": ["FreeRADIUS"]}, {"uuid": "68c9b077-0a3f-4b95-975d-1080c67c6cc8", "name": "Dynamic DNS Contacted", "effort": "master", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Process use of network", "Web logs"], "description": "Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Azure Network Watcher [DEPRECATED]", "Trellix Network Security", "Ekinops OneOS", "Veeam Backup", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Apache SpamAssassin", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Forcepoint Management Server", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Fastly Next-Gen WAF Alerts", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Unbound", "Vade for M365", "GraphAPI for Microsoft Entra ID / Azure AD", "Broadcom Siteminder", "Cyberwatch Detection", "Microsoft Intune", "Azure Database for MySQL", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "FreeRADIUS", "CEF", "SentinelOne EDR", "Wiz Audit Logs", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Always On VPN", "WatchGuard Firebox", "Systancia Cleanroom", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Seckiot Citadelle", "Kubernetes Audit Log", "Trapster (by Ballpoint) [BETA]", "Azure Network Watcher Flow Logs", "Cloudflare Audit logs", "BeyondTrust Privileged Remote Access Syslog [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "Google Workspace / ChromeOS", "Wiz Threat Detections", "OCSF", "AWS CloudTrail", "Microsoft 365 Message Trace [DEPRECATED]", "Github Audit logs", "Juniper Networks Switches", "Microsoft IIS", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Wiz Vulnerability Findings", "Palo Alto NGFW", "Cisco Umbrella IP", "Trellix EDR [ALPHA]", "Darktrace Threat Visualizer", "Nanocorp [BETA]", "Stormshield SNS", "Apache HTTP Server", "OpenVPN", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Trellix ePO (on-prem)", "ArubaOS Switch", "Cloudflare HTTP requests", "IBM AIX", "OGO WAF", "Jumpcloud Directory Insights", "Sophos Firewall", "MokN - Baits", "Varonis Data Security", "Azure Activity Logs", "Trellix EPO [ALPHA]", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Vectra Cognito Detect", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "SonicWall Secure Mobile Access", "ESET Protect", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Watchguard EPDR", "Lacework Cloud Security", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "WatchGuard Endpoint Security / Panda Security Aether", "Forcepoint Secure Web Gateway", "Cisco Duo Security", "Cisco ISE", "Nozomi CMC", "Radware DefensePro [Beta]", "IBM iSeries", "OpenBSD Packet Filter / OPNSense / PfSense", "Elastic AuditBeat Linux", "Rubycat PROVE IT", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "AWS VPC Flow logs", "Microsoft 365 Message Trace (Graph API)", "Cisco Umbrella Proxy", "ManageEngine ADAudit Plus", "Cisco IOS router and switch", "Google VPC Flow Logs", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Netfilter", "Suricata", "Google Cloud Audit Logs", "Palo Alto Cortex XDR (EDR)", "1Password EPM", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Azure Windows", "Nozomi Vantage", "NucleonEDR", "Okta", "ExtraHop Reveal(x) 360", "Google Cloud Load Balancing", "CyberArk Audit Logs", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "LockSelf LockPass/LockTransfer/LockFiles", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Keycloak Events", "Fortinet FortiProxy", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "ISC DHCP", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "OpenLDAP", "SonicWall Firewall", "WALLIX Bastion", "Clavister NGFW", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "Trellix Advanced Threat Defense", "HAProxy", "OpenSSH", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "BIND", "Trend Micro Vision One Workbench Alerts [BETA]", "Bitsight SPM"]}, {"uuid": "aa89184c-aa79-4b47-bf83-49adf081cef7", "name": "Covenant Default HTTP Beaconing", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects potential Covenant communications through the user-agent and specific urls", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cisco ESA", "Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Kubernetes Audit Log", "Netskope", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "F5 Distributed Cloud", "Cisco Catalyst SD-WAN", "Broadcom Cloud Secure Web Gateway", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Proofpoint TAP", "Imperva WAF", "Fastly Next-Gen WAF Audit Logs", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Cisco ISE", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "SonicWall Firewall", "Cloudflare WAF events", "Fortinet FortiWeb", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HAProxy", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Cloudflare HTTP requests", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "VMware ESXi", "CrowdStrike Falcon", "AWS WAF", "Gatewatcher AionIQ v102", "Microsoft 365 / Office 365", "AWS CloudFront", "Azure Files", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "65fb80f9-ecd6-458d-9b29-3ed561bbcf29", "name": "ESET Protect Set Policy", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when a new policy is set or removed.", "attack": ["privilege-escalation - Domain or Tenant Policy Modification (T1484)"], "intake-formats": ["ESET Protect"]}, {"uuid": "d63ac73e-a00d-4c54-98ee-def8956b1bbd", "name": "Malware Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a malware contained in the message.", "attack": ["initial-access - Phishing (T1566)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Vade for M365"]}, {"uuid": "6fcb4ade-2bcf-48ef-bdfd-c115638717b6", "name": "Download Files From Non-Legitimate TLDs", "effort": "master", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "Detects file downloads from non-legitimate TLDs. Additional legitimates TLDs should be filtered according to the business habits.", "attack": ["initial-access - Phishing (T1566)", "execution - Exploitation for Client Execution (T1203)", "execution - User Execution (T1204)", "execution - Malicious Link (T1204.001)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Fortinet FortiProxy", "Netskope", "Gatewatcher AionIQ V103", "Crowdstrike Falcon Telemetry", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 BIG-IP", "F5 NGINX", "Windows"]}, {"uuid": "1e1185cf-337e-4368-9274-937f87728ee4", "name": "Netskope Successful Brute-Force On Management Console", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy"], "description": "Detects successful access to Netskope management console after more than 10 failures in 5 minutes for the same user name.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["Netskope"]}, {"uuid": "99154a31-7b4d-4e9e-9557-2b3c93e50111", "name": "1Password EPM Share Externally", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when an item from 1Password is shared externally.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)"], "intake-formats": ["1Password EPM"]}, {"uuid": "235ffb78-35af-4806-9ee2-f6bdaeec2d92", "name": "Potential DNS Tunnel", "effort": "advanced", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Web logs"], "description": "Detects domain name which is longer than 62 characters. Long domain names are distinctive of DNS tunnels.", "attack": ["exfiltration - Exfiltration Over Alternative Protocol (T1048)", "command-and-control - Protocol Tunneling (T1572)"], "intake-formats": ["Cloudflare Gateway HTTP", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Broadcom Cloud Secure Web Gateway", "Tanium", "Thinkst Canary", "Sophos Analysis Threat Center", "Unbound", "Zscaler Internet Access", "CEF", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Delinea PRA", "WatchGuard Firebox", "AWS WAF", "AWS CloudFront", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Cloudflare DNS logs", "OCSF", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "ArubaOS Switch", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "Retarus Email Security", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "AWS GuardDuty", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "PingFederate", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Windows", "Squid", "Barracuda CloudGen Firewall", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "F5 NGINX", "WALLIX Bastion", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BIND", "Vectra Cognito Detect"]}, {"uuid": "ce5fbf2e-a845-408d-89a3-ae1b7a9dc664", "name": "Correlation Fortigate Multi Dest From One Internal Ip", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "This rule detect an internal asset that targets several destination IP address with the same threat", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "8aaf5781-3f6b-4406-8769-a6138c1490f8", "name": "Internet Scanner", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system", "Web application firewall logs", "Web logs", "DNS records", "Network protocol analysis", "Packet capture"], "description": "Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)", "reconnaissance - Active Scanning (T1595)"], "intake-formats": ["NeroSwarm Honeypot", "Trellix Network Security", "Ekinops OneOS", "Broadcom/Symantec Endpoint Security", "AWS GuardDuty", "Google Workspace / ChromeOS", "Barracuda CloudGen Firewall", "Nozomi CMC", "OpenBSD Packet Filter / OPNSense / PfSense", "Ivanti / Pulse Connect Secure", "Nozomi Vantage", "Palo Alto NGFW", "Jizo AI / Sesame it NDR", "Stormshield SES", "Proofpoint PoD", "Fortinet FortiGate", "Cloudflare Gateway Network", "F5 BIG-IP", "Cato Networks SASE", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "EfficientIP SOLIDServer DDI", "Netfilter", "Delinea PRA", "Sophos Firewall", "Suricata", "WatchGuard Firebox", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Check Point NGFW", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "f3492a34-bf75-4963-b3a5-44943aff530a", "name": "Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan", "effort": "advanced", "data_sources": ["Web proxy", "Anti-virus"], "description": "Cloudflare Gateway allows admins to enable Anti-Virus (AV) scanning of files that are uploaded or downloaded by users as the file passes through Gateway. AV scanning of files requires organizations to enable Proxy mode under Settings > Network > Layer 7 Firewall. TLS decryption is also recommended to enable inspection of HTTPS traffic.", "attack": ["command-and-control - Web Protocols (T1071.001)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cloudflare Gateway HTTP"]}, {"uuid": "e7e23a2c-ddb8-425c-8a1c-ec9e34034431", "name": "Spam Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a spam e-mail and didn't block it.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "d1718d63-39e2-49ca-a564-a13175acfbbb", "name": "Suspicious TOR Gateway", "effort": "advanced", "data_sources": ["DNS records", "Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user\u2019s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user\u2019s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what\u2019s left on to the next relay in the list.", "attack": ["command-and-control - Multi-hop Proxy (T1090.003)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Broadcom Cloud Secure Web Gateway", "Tanium", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Sophos Analysis Threat Center", "Unbound", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "WatchGuard Firebox", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "Cloudflare DNS logs", "OCSF", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "ArubaOS Switch", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Infoblox DDI", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Sophos EDR", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Files", "Azure Windows", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Barracuda CloudGen Firewall", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "WALLIX Bastion", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]", "BIND", "Vectra Cognito Detect"]}, {"uuid": "fa9a162b-444b-4ed5-9898-08aa5864a9e8", "name": "Telegram Bot API Request", "effort": "advanced", "data_sources": ["DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "attack": ["command-and-control - Bidirectional Communication (T1102.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Broadcom Cloud Secure Web Gateway", "Tanium", "Thinkst Canary", "Sophos Analysis Threat Center", "Unbound", "Zscaler Internet Access", "CEF", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Delinea PRA", "WatchGuard Firebox", "AWS WAF", "AWS CloudFront", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Cloudflare DNS logs", "OCSF", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "ArubaOS Switch", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Trend Micro Apex One / Vision One endpoint", "Akamai Guardicore Cloud [BETA]", "Retarus Email Security", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "AWS GuardDuty", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "PingFederate", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Windows", "Squid", "Barracuda CloudGen Firewall", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "F5 NGINX", "WALLIX Bastion", "SonicWall Firewall", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BIND", "Vectra Cognito Detect"]}, {"uuid": "cbfaa3b3-f868-4483-a186-20e1b0e3d8ce", "name": "EvilProxy Phishing Domain", "effort": "intermediate", "data_sources": ["DNS records", "Web proxy"], "description": "Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["Cloudflare Gateway HTTP", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Cloudflare Access Requests", "Tanium", "Thinkst Canary", "Sophos Analysis Threat Center", "Unbound", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "One Identity SPS", "Ubika Cloud Protector Next Generation Alerts", "Aleph Alerts [BETA]", "Delinea PRA", "WatchGuard Firebox", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Trapster (by Ballpoint) [BETA]", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "Cloudflare DNS logs", "OCSF", "Claroty xDome", "Cisco Umbrella DNS", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Stormshield SNS", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "ArubaOS Switch", "OGO WAF", "Sophos Firewall", "MokN - Baits", "CrowdStrike Falcon", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "PingFederate", "Cisco Umbrella Proxy", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "EfficientIP SOLIDServer DDI", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Palo Alto Cortex XDR (EDR)", "Cloudflare Gateway DNS", "Postfix", "Azure Windows", "Squid", "Barracuda CloudGen Firewall", "Akamai WAF", "Cisco Catalyst SD-WAN", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "F5 NGINX", "WALLIX Bastion", "SonicWall Firewall", "Fortinet FortiWeb", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BIND", "Vectra Cognito Detect", "Bitsight SPM"]}, {"uuid": "49b68c96-d5ff-495d-8dba-265737cd6295", "name": "CVE-2019-19781 Citrix NetScaler (ADC)", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects CVE-2019-19781 exploitation attempt against Citrix NetScaler (ADC), Application Delivery Controller and Citrix Gateway Attack.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "8414af30-04d7-4a29-a83b-b82885572cf3", "name": "Anomaly Multiple Host Port Scan", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system"], "description": "Detects multiple port scan from/to a private address, excluding DNS.", "attack": ["discovery - Network Service Discovery (T1046)"], "intake-formats": []}, {"uuid": "24d704c1-53e2-4e09-b88f-7ebc8e73cd09", "name": "Possible Malicious File Double Extension", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects request to potential malicious file with double extension", "attack": ["initial-access - Phishing (T1566)", "stealth - Double File Extension (T1036.007)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "3035b533-9def-4397-80db-fa98017b97e9", "name": "Scam Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a scam e-mail.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "deb49945-1556-4c3e-bfc6-4bfbf098e988", "name": "Citrix NetScaler (ADC) Actions Blocked", "effort": "advanced", "data_sources": ["Application logs"], "description": "This rule aims to detect a large amount of actions blocked performed from the same source.", "attack": ["privilege-escalation - Abuse Elevation Control Mechanism (T1548)"], "intake-formats": ["Citrix NetScaler / ADC"]}, {"uuid": "c0bbf8ed-a730-4165-b6d8-15990b437ea7", "name": "Scam Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365, has detected a scam e-mail and didn't block it.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "8e632b7d-0070-4567-bf5d-d1eac6afad37", "name": "1Password EPM MFA Disable", "effort": "master", "data_sources": ["Third-party application logs"], "description": "Detects when the MFA for 1Password is disabled.", "attack": ["credential-access - Multi-Factor Authentication (T1556.006)"], "intake-formats": ["1Password EPM"]}, {"uuid": "a7d60e17-f963-4ed9-a74a-7b8a3b11e9be", "name": "FoggyWeb HTTP Default GET/POST Requests", "effort": "advanced", "data_sources": ["Packet capture", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "390acf78-d41d-4f59-bf62-9fcb20133b3c", "name": "Internet Scanner Target", "effort": "master", "data_sources": ["Network device logs", "Network intrusion detection system", "Web application firewall logs", "Web logs", "DNS records", "Network protocol analysis", "Packet capture"], "description": "Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.", "attack": ["reconnaissance - Gather Victim Network Information (T1590)", "reconnaissance - Active Scanning (T1595)"], "intake-formats": ["NeroSwarm Honeypot", "Trellix Network Security", "Ekinops OneOS", "Broadcom/Symantec Endpoint Security", "AWS GuardDuty", "Google Workspace / ChromeOS", "Barracuda CloudGen Firewall", "Nozomi CMC", "OpenBSD Packet Filter / OPNSense / PfSense", "Ivanti / Pulse Connect Secure", "Nozomi Vantage", "Palo Alto NGFW", "Jizo AI / Sesame it NDR", "Stormshield SES", "Proofpoint PoD", "Fortinet FortiGate", "Cloudflare Gateway Network", "F5 BIG-IP", "Cato Networks SASE", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "EfficientIP SOLIDServer DDI", "Netfilter", "Delinea PRA", "Sophos Firewall", "Suricata", "WatchGuard Firebox", "Infoblox DDI", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Check Point NGFW", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "41d7462b-83b7-473c-b82b-b607f1adad0e", "name": "Privilege Escalation Awesome Scripts (PEAS)", "effort": "elementary", "data_sources": ["Network device logs", "Packet capture", "Windows event logs", "Process command-line parameters"], "description": "Detect PEAS privileges escalation scripts and binaries", "attack": ["resource-development - Tool (T1588.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Tanium", "Thinkst Canary", "Salesforce", "VMware vCenter", "Azure Front Door", "Forcepoint Next-Generation Firewall", "Sophos Analysis Threat Center", "RSA SecurID", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Juniper NGFW", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Trellix EDR [ALPHA]", "Stormshield SNS", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "IBM AIX", "OGO WAF", "Sophos Firewall", "Azure Activity Logs", "CrowdStrike Falcon", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "WithSecure Elements", "Google Kubernetes Engine", "Forcepoint Secure Web Gateway", "Elastic AuditBeat Linux", "PingFederate", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Sekoia.io Endpoint Agent", "SentinelOne Singularity Identity", "Suricata", "Palo Alto Cortex XDR (EDR)", "Azure Windows", "NucleonEDR", "Google Cloud Load Balancing", "Squid", "Barracuda CloudGen Firewall", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Cybereason EDR activity", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "WALLIX Bastion", "CyberArk Digital Vault", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Trend Micro Vision One Workbench Alerts [BETA]"]}, {"uuid": "75c26b09-92bb-43d5-9343-0aaf00435df0", "name": "Trellix Network Security Threat Notified", "effort": "master", "data_sources": ["Web application firewall logs"], "description": "Trellix Network Security has detected a malicious traffic and raised an alert.", "attack": ["command-and-control - Application Layer Protocol (T1071)"], "intake-formats": ["Trellix Network Security"]}, {"uuid": "642e0455-bc85-45de-941a-2ecba9914f55", "name": "SharePoint Authenticated SSRF", "effort": "elementary", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects succesful SSRF from an authenticated SharePoint user.", "attack": ["stealth - Exploitation for Stealth (T1211)", "defense-impairment - Network Boundary Bridging (T1599)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "AWS WAF"]}, {"uuid": "bd808a15-690c-4932-8989-c9d2d7cfe8c5", "name": "Potential LokiBot User-Agent", "effort": "intermediate", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects potential LokiBot communications through the user-agent", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Google Cloud Load Balancing", "Trapster (by Ballpoint) [BETA]", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "F5 Distributed Cloud", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "SonicWall Firewall", "Cloudflare WAF events", "Fortinet FortiWeb", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Cloudflare HTTP requests", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "CrowdStrike Falcon", "AWS WAF", "Gatewatcher AionIQ v102", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "22b6997e-2287-499a-9c3e-a24f215f7613", "name": "Anomaly CloudFlare DDoS", "effort": "master", "data_sources": ["DNS records"], "description": "Detects anomaly on volume of DNS events from CloudFlare logs.", "attack": ["impact - Network Denial of Service (T1498)"], "intake-formats": []}, {"uuid": "3979bffd-c0f1-4291-b082-4ad1612b8934", "name": "CVE-2019-0604 SharePoint", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "e24b272b-a6b1-428c-9f2f-d23b87afbca8", "name": "Anomaly Fortigate IPS Alert Peak", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "The rule detects abnormally high number of Fortigate IPS alert", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": []}, {"uuid": "7ad9d141-b68a-4dca-a496-d9bddce8a46e", "name": "Fortigate Firewall Successful External Login", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Detects succesfull access to administration console of firewall from another IP address than 127.0.0.1. Prerequisites, check that the firewall logs format corresponds to the rule", "attack": ["initial-access - Valid Accounts (T1078)", "credential-access - Brute Force (T1110)"], "intake-formats": []}, {"uuid": "8ef048fc-bad3-4bd3-b0a2-8dc1f5d1b51d", "name": "CVE-2021-20021 SonicWall Unauthenticated Administrator Access", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the exploitation of SonicWall Unauthenticated Admin Access.", "attack": ["persistence - Create Account (T1136)", "initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "60efadd2-6bab-4bfe-8992-04c931e85ce8", "name": "Fortigate IPS High Severity Alert", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Fortigate intrusion detection alert with high severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["Fortinet FortiGate"]}, {"uuid": "f176e7f2-36d9-4c97-8516-5a089d0f4ac2", "name": "Malware Detected By Vade For M365 And Not Blocked", "effort": "advanced", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a malware contained in the message and didn't delete it.", "attack": ["initial-access - Phishing (T1566)", "execution - Malicious File (T1204.002)"], "intake-formats": ["Vade for M365"]}, {"uuid": "686bfcfd-5f9b-4665-80c9-c990ba2705ff", "name": "Spearphishing (Gift Cards Fraud) Detected By Vade For M365", "effort": "master", "data_sources": ["Anti-virus", "Email gateway"], "description": "Vade Secure product Vade for M365 has detected a spear-phishing attempt with gift-cards fraud thematic. Executive impersonation requesting a money transfer to set up gift-cards for employees. Confidentiality and discretion are usually implied.", "attack": ["initial-access - Phishing (T1566)"], "intake-formats": ["Vade for M365"]}, {"uuid": "401eb0e4-bf91-4c99-b424-fba18a01c180", "name": "Brute-Force On Fortinet Firewall Login", "effort": "master", "data_sources": ["Authentication logs", "Web application firewall logs", "Web logs", "Web proxy", "Network protocol analysis", "Packet capture"], "description": "Spots many failed attempts to log on an administration interface.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": []}, {"uuid": "695011ce-6c09-468b-b6ad-46768ab812d8", "name": "Suspicious Email Attachment Received", "effort": "advanced", "data_sources": ["Email gateway", "Mail server"], "description": "Detects email containing a suspicious file as an attachment, based on its extension.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "collection - Data from Network Shared Drive (T1039)"], "intake-formats": ["Palo Alto NGFW", "OCSF", "Varonis Data Security", "WithSecure Elements", "Proofpoint PoD", "Gatewatcher AionIQ V103", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Postfix", "Fortinet FortiMail", "Trend Micro Apex One / Vision One endpoint", "Mimecast Email Security", "Microsoft Defender XDR / Microsoft 365 Defender"]}, {"uuid": "d7a94ef7-9ed5-46d7-9426-8bd27fb2ca17", "name": "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "0caf3914-2952-4bd9-b48a-e13f588132fb", "name": "Login Brute-Force Successful On WatchGuard Firebox", "effort": "advanced", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) on WatchGuard Firebox and succeeded to login.", "attack": ["resource-development - Acquire Infrastructure (T1583)", "resource-development - Compromise Infrastructure (T1584)"], "intake-formats": ["WatchGuard Firebox"]}, {"uuid": "347ad552-dc26-4e48-a7a0-6ea4592372b8", "name": "Discord Suspicious Download", "effort": "advanced", "data_sources": ["Web proxy", "Web logs", "Web application firewall logs", "Packet capture", "Network intrusion detection system"], "description": "Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.", "attack": ["command-and-control - Web Service (T1102)"], "intake-formats": ["NeroSwarm Honeypot", "Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Broadcom Siteminder", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Kaspersky Endpoint Security", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "Ubika Cloud Protector Next Generation Alerts", "Microsoft Entra ID / Azure AD", "Aleph Alerts [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Trend Micro Vision One OAT [BETA]", "WatchGuard Firebox", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Kubernetes Audit Log", "Crowdstrike Falcon Telemetry", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Microsoft IIS", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Stormshield SNS", "Apache HTTP Server", "PRODAFT USTA Cyber Threat Intelligence Platform", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Cloudflare HTTP requests", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Microsoft 365 / Office 365", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "WithSecure Elements", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Wiz Issues", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Ubika Cloud Protector Alerts [DEPRECATED]", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Akamai WAF", "Cisco Catalyst SD-WAN", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiWeb", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "11a13d04-61cc-4a66-9867-f594f0dba2ad", "name": "ESET Protect Vulnerability Exploitation Attempt", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "Detects when an attempt is made to exploit a vulnerability.", "attack": ["resource-development - Vulnerabilities (T1588.006)"], "intake-formats": ["ESET Protect"]}, {"uuid": "179b55ce-e3a3-4d42-828a-716ea469316b", "name": "Correlation Potential DNS Tunnel", "effort": "advanced", "data_sources": ["DNS records", "Network device logs", "Packet capture"], "description": "Detects domain name which is longer than 62 characters and requested at least 50 times in a 10 minutes range time. Long domain names are distinctive of DNS tunnels.", "attack": ["command-and-control - DNS (T1071.004)"], "intake-formats": ["Retarus Email Security", "Cisco NX-OS", "Cloudflare Gateway HTTP", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Vectra Cognito Detect", "Hornetsecurity 365 Total Protection", "Crowdstrike Falcon Telemetry", "AWS GuardDuty", "Cloudflare DNS logs", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Barracuda CloudGen Firewall", "OCSF", "Fortinet FortiProxy", "Tanium", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Claroty xDome", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Sophos Analysis Threat Center", "Cisco Umbrella DNS", "SentinelOne Cloud Funnel 2.0", "Juniper NGFW", "F5 NGINX", "Ivanti / Pulse Connect Secure", "Unbound", "WALLIX Bastion", "SonicWall Firewall", "Palo Alto NGFW", "Cloudflare WAF events", "PingFederate", "Trend Micro Apex One / Vision One endpoint", "Zscaler Internet Access", "CyberArk Digital Vault", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Cloudflare Gateway Network", "F5 BIG-IP", "Fortinet FortiGate", "Cato Networks SASE", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "Fortinet FortiMail", "HAProxy", "HarfangLab EDR", "Windows", "EfficientIP SOLIDServer DDI", "ArubaOS Switch", "One Identity SPS", "SentinelOne Singularity Identity", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "WatchGuard Firebox", "VMware ESXi", "Palo Alto Cortex XDR (EDR)", "CrowdStrike Falcon", "Infoblox DDI", "Cloudflare Gateway DNS", "AWS WAF", "Gatewatcher AionIQ v102", "Palo Alto Prisma access", "BIND", "AWS CloudFront", "Azure Windows", "Postfix", "Check Point NGFW", "Akamai Guardicore Cloud [BETA]", "Elastic Winlogbeat"]}, {"uuid": "c3611e39-bdfd-4908-bd4b-e84869643296", "name": "Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)", "effort": "advanced", "data_sources": ["Email gateway"], "description": "Cx0 fraud and Patient Zero Detection alerts detected by Retarus Email Security. CxO Fraud Detection uses algorithms that identify from-spoofing and domain-spoofing, to detect falsified sender addresses (e.g. from high level executives - CEO, CFO...). Patient Zero Detection\u00ae uses a digital fingerprint to identify emails containing malware that have already been delivered.", "attack": ["initial-access - Spearphishing Attachment (T1566.001)", "initial-access - Spearphishing Link (T1566.002)"], "intake-formats": ["Retarus Email Security"]}, {"uuid": "e2c6ec80-d1e3-4503-bccf-f25bfe264fd2", "name": "Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.", "attack": ["command-and-control - Web Protocols (T1071.001)", "command-and-control - Ingress Tool Transfer (T1105)"], "intake-formats": ["Cisco ESA", "BeyondTrust Privileged Remote Access Session", "Cloudflare Gateway HTTP", "Google Cloud Load Balancing", "Netskope", "Trellix Network Security", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "Microsoft Defender XDR (Graph API) [BETA]", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "TEHTRIS EDR", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Proofpoint TAP", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Cisco ISE", "Azure Application Gateway", "F5 NGINX", "Mimecast Email Security", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "SentinelOne EDR", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco IOS router and switch", "Cato Networks SASE", "Cisco Secure Firewall", "Fortinet FortiMail", "HAProxy", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Olfeo secure web gateway", "PRODAFT USTA Cyber Threat Intelligence Platform", "Windows", "Microsoft Entra ID / Azure AD", "OGO WAF", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Sophos Firewall", "Suricata", "VMware ESXi", "Bitdefender GravityZone", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Microsoft 365 / Office 365", "BeyondTrust PRA Team [BETA]", "Palo Alto Prisma access", "Azure Files", "Cisco Meraki MX", "Check Point NGFW", "Trend Micro Apex One / Vision One endpoint"]}, {"uuid": "d6ad981f-720c-45a3-96af-8cfaddd594a3", "name": "CVE-2020-17530 Apache Struts RCE", "effort": "intermediate", "data_sources": ["Packet capture", "Web logs", "Web proxy", "Web application firewall logs"], "description": "Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Fastly Next-Gen WAF Audit Logs", "Salesforce", "VMware vCenter", "Azure Front Door", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "Trend Micro Vision One OAT [BETA]", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "Bitdefender GravityZone", "AWS WAF", "Cisco Meraki MX", "Check Point NGFW", "Cisco ESA", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "F5 BIG-IP", "PRODAFT USTA Cyber Threat Intelligence Platform", "Cisco Secure Firewall", "OGO WAF", "Sophos Firewall", "Microsoft 365 / Office 365", "Palo Alto Prisma access", "Trend Micro Apex One / Vision One endpoint", "BeyondTrust Privileged Remote Access Session", "Netskope", "Broadcom Edge Secure Web Gateway", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Sophos EDR", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Suricata", "Azure Files", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "Fortinet FortiMail", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "Lookout Mobile Endpoint Security", "BeyondTrust PRA Team [BETA]"]}, {"uuid": "514fb7cb-0bf2-49b6-aae6-76950af34108", "name": "CVE-2020-1147 SharePoint", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detection of SharePoint vulnerability CVE-2020-1147.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "574900df-fee9-47b9-9c67-9104670ac3e5", "name": "ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity", "effort": "master", "data_sources": ["Network intrusion detection system"], "description": "ExtraHop Reveal(x) 360 raised an intrusion detection alert with critical severity.", "attack": ["reconnaissance - Active Scanning (T1595)"], "intake-formats": ["ExtraHop Reveal(x) 360"]}, {"uuid": "3064cf77-6c30-4384-aec8-aa025ce05184", "name": "Login Brute-Force On FreeRadius", "effort": "intermediate", "data_sources": ["Authentication logs"], "description": "A user has attempted to login several times (brute-force) with error then one success.", "attack": ["credential-access - Brute Force (T1110)", "initial-access - Valid Accounts (T1078)"], "intake-formats": ["FreeRADIUS"]}, {"uuid": "29884fe3-a924-4958-9447-6b0e402bb5dc", "name": "CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Detects successful exploitation of the F5 BIG-IP vulnerability CVE-2021-22986.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["F5 BIG-IP"]}, {"uuid": "f9fbe265-5b14-4913-aba0-b015bd44ab8c", "name": "Potential Azure AD Phishing Page (Adversary-in-the-Middle)", "effort": "intermediate", "data_sources": ["Web proxy", "SSL/TLS inspection"], "description": "Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.", "attack": ["collection - Adversary-in-the-Middle (T1557)", "credential-access - Multi-Factor Authentication Interception (T1111)"], "intake-formats": ["NeroSwarm Honeypot", "Netskope", "Broadcom Edge Secure Web Gateway", "Kubernetes Audit Log", "Zscaler Private Access [BETA]", "Crowdstrike Falcon Telemetry", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "F5 Distributed Cloud", "Broadcom Cloud Secure Web Gateway", "Cisco Catalyst SD-WAN", "Akamai WAF", "Ubika WAAP Gateway", "OCSF", "Thinkst Canary", "Microsoft IIS", "Salesforce", "Ubika Cloud Protector Next Generation Traffic Logs [BETA]", "Sekoia.io activity logs", "F5 NGINX", "Ivanti / Pulse Connect Secure", "Citrix NetScaler / ADC", "Broadcom Siteminder", "Cloudflare WAF events", "Fortinet FortiWeb", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "Cisco Umbrella Proxy", "Stormshield SNS", "F5 BIG-IP", "Ubika Cloud Protector Traffic [DEPRECATED]", "Cisco Secure Firewall", "Akamai Guardicore On-Prem [BETA]", "HAProxy", "HarfangLab EDR", "Kaspersky Endpoint Security", "Windows", "Cloudflare HTTP requests", "Ubika Cloud Protector Next Generation Alerts", "Aleph Alerts [BETA]", "WatchGuard Firebox", "Bitdefender GravityZone", "CrowdStrike Falcon", "Gatewatcher AionIQ v102", "AWS CloudFront", "Ubika Cloud Protector Alerts [DEPRECATED]"]}, {"uuid": "53247705-32c0-44cb-8035-331856b60ce6", "name": "CVE-2021-43798 Grafana Directory Traversal", "effort": "intermediate", "data_sources": ["Network device logs", "Network protocol analysis", "Web logs", "Web application firewall logs"], "description": "Grafana version 8.x has a 0day arbitrary file read (with no fix yet) based on a directory traversal vulnerability", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "ca0f96a6-c96f-4aae-be1c-9b3fa5016109", "name": "CVE-2021-22123 Fortinet FortiWeb OS Command Injection", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "f3935410-dcdf-4284-b80b-0d8609702432", "name": "Burp Suite Tool Detected", "effort": "intermediate", "data_sources": ["Web proxy", "Web logs", "Web application firewall logs", "Packet capture", "Network intrusion detection system"], "description": "Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).", "attack": ["reconnaissance - Vulnerability Scanning (T1595.002)"], "intake-formats": ["Cloudflare Gateway HTTP", "Trellix Network Security", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Thinkst Canary", "Salesforce", "VMware vCenter", "Azure Front Door", "Sophos Analysis Threat Center", "Zscaler Internet Access", "CEF", "SentinelOne EDR", "Cato Networks SASE", "Akamai Guardicore On-Prem [BETA]", "Olfeo secure web gateway", "One Identity SPS", "Microsoft Entra ID / Azure AD", "Check Point Harmony Email & Collaboration Suite Security", "Delinea PRA", "WatchGuard Firebox", "Bitdefender GravityZone", "AWS WAF", "AWS CloudFront", "Cisco Meraki MX", "Check Point NGFW", "Elastic Winlogbeat", "Cisco NX-OS", "Cisco ESA", "Hornetsecurity 365 Total Protection", "Microsoft Defender XDR (Graph API) [BETA]", "OCSF", "Claroty xDome", "Juniper NGFW", "Ivanti / Pulse Connect Secure", "Mimecast Email Security", "Citrix NetScaler / ADC", "Palo Alto NGFW", "Apache HTTP Server", "PRODAFT USTA Cyber Threat Intelligence Platform", "F5 BIG-IP", "Cisco Secure Firewall", "ArubaOS Switch", "OGO WAF", "Sophos Firewall", "CrowdStrike Falcon", "Palo Alto Prisma access", "Gatewatcher AionIQ v102", "Microsoft 365 / Office 365", "Akamai Guardicore Cloud [BETA]", "Trend Micro Apex One / Vision One endpoint", "Retarus Email Security", "BeyondTrust Privileged Remote Access Session", "Netskope", "Zscaler Private Access [BETA]", "Broadcom/Symantec Endpoint Security", "Netskope Transaction Events with AWS S3", "AWS GuardDuty", "TEHTRIS EDR", "Proofpoint TAP", "Forcepoint Secure Web Gateway", "Cisco ISE", "Nozomi CMC", "Cloudflare WAF events", "Jizo AI / Sesame it NDR", "PingFederate", "Proofpoint PoD", "Stormshield SES", "Cisco Umbrella Proxy", "Cisco IOS router and switch", "Windows", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "SentinelOne Singularity Identity", "Vade Cloud", "Suricata", "Postfix", "Azure Files", "Azure Windows", "Google Cloud Load Balancing", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Trend Micro Cloud One / Deep Security", "Ubika WAAP Gateway", "Fortinet FortiProxy", "Imperva WAF", "Cisco Secure Web Appliance", "Azure Application Gateway", "F5 NGINX", "Olfeo SAAS", "SonicWall Firewall", "WALLIX Bastion", "CyberArk Digital Vault", "Fortinet FortiMail", "Cloudflare Gateway Network", "Fortinet FortiGate", "HAProxy", "VMware ESXi", "SentinelOne Cloud Funnel 2.0", "BeyondTrust PRA Team [BETA]", "Vectra Cognito Detect"]}, {"uuid": "926516fb-f2e5-4ff3-8c13-f8f3cb9d2db4", "name": "CVE-2019-11510 Pulse Secure Exploit", "effort": "elementary", "data_sources": ["Network device logs", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects the successful exploitation of the Pulse Secure vulnerability CVE-2019-11510. This CVE is one of the most exploited CVEs since 2019. It is exploited by diverse threat actors, leading sometimes in ransomware deployement among these groups: Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil. But also APT actors such as APT29. The exploitation of this CVE allows a remote, unauthenticated attacker to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. The exploit reads /etc/passwd file to get access to login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 products.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "Jizo AI / Sesame it NDR", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "AWS WAF", "Azure Files"]}, {"uuid": "4e38c194-9347-4cfb-9e31-d114676b71d7", "name": "TrevorC2 HTTP Communication", "effort": "elementary", "data_sources": ["Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Web logs"], "description": "Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent. ", "attack": ["command-and-control - Web Protocols (T1071.001)"], "intake-formats": ["Cisco ESA", "Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Netskope", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Azure Key Vault", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Fortinet FortiProxy", "Proofpoint TAP", "Imperva WAF", "Fastly Next-Gen WAF Audit Logs", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Cisco ISE", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "SonicWall Firewall", "Zscaler Internet Access", "Gatewatcher AionIQ V103", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cato Networks SASE", "Cisco Secure Firewall", "Windows", "HAProxy", "HarfangLab EDR", "Microsoft Defender XDR / Microsoft 365 Defender", "Microsoft Entra ID / Azure AD", "OGO WAF", "Delinea PRA", "Sophos Firewall", "Suricata", "VMware ESXi", "AWS WAF", "Microsoft 365 / Office 365", "Azure Files", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "5755350f-5b18-4263-b560-1362cd0ff43c", "name": "CVE-2021-21985 VMware vCenter", "effort": "advanced", "data_sources": ["Web logs", "Web proxy", "Web application firewall logs", "Packet capture"], "description": "The VMware vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Trellix Network Security", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Forcepoint Secure Web Gateway", "Azure Front Door", "Sekoia.io activity logs", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "SonicWall Firewall", "Palo Alto NGFW", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "CEF", "Apache HTTP Server", "Fortinet FortiGate", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "SentinelOne Cloud Funnel 2.0", "AWS WAF", "Palo Alto Prisma access", "Cisco Meraki MX", "Check Point NGFW"]}, {"uuid": "642b2a3f-c267-470f-994b-3bc299820fb3", "name": "CVE-2018-13379 Fortinet Exploit", "effort": "advanced", "data_sources": ["Packet capture", "Web logs", "Web application firewall logs", "Web proxy"], "description": "Detects the successful exploitation of the Fortinet FortiOS CVE-2018-13379. This CVE is one of the most exploited CVEs since 2018. It is exploited by APT threat actors as well as cybercriminals. The exploitation of this CVE lead an unauthenticated user to get full access to FortiOS system file through SSL VPN via specially crafted HTTP resource requests. The exploit read /dev/cmdb/sslvpn_websession file, that contains login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4.", "attack": ["initial-access - Exploit Public-Facing Application (T1190)"], "intake-formats": ["Cloudflare Gateway HTTP", "Broadcom Edge Secure Web Gateway", "Google Cloud Load Balancing", "Zscaler Private Access [BETA]", "Netskope Transaction Events with AWS S3", "Skyhigh Secure Web Gateway / McAfee Web Gateway", "Squid", "Netskope Transaction Events [DEPRECATED]", "Ubika WAAP Gateway", "OCSF", "Imperva WAF", "Thinkst Canary", "Cisco Secure Web Appliance", "Salesforce", "VMware vCenter", "Azure Front Door", "Azure Application Gateway", "F5 NGINX", "Citrix NetScaler / ADC", "Olfeo SAAS", "PingFederate", "Zscaler Internet Access", "Cisco Umbrella Proxy", "Apache HTTP Server", "F5 BIG-IP", "Cisco Secure Firewall", "HAProxy", "HarfangLab EDR", "Olfeo secure web gateway", "Microsoft Entra ID / Azure AD", "OGO WAF", "Sophos Firewall", "Suricata", "AWS WAF"]}]
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.md
index 779ad6f511..aaa092ece4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a9b9f7be-a036-4e10-a407-53bc3b8308b4_do_not_edit_manually.md
@@ -21,6 +21,18 @@ The following Sekoia.io built-in rules match the intake **GraphAPI for Microsoft
     
     - **Effort:** master
 
+??? abstract "Entra ID Password Compromised By Known Credential Testing Tool"
+    
+    Detects a sign-in that has a correlation ID known to be used by malicious credential testing scripts. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.
+    
+    - **Effort:** elementary
+
+??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
+    
+    Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
+    
+    - **Effort:** elementary
+
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 5cf7db13ef..faf0c14def 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2026-06-04_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2026-06-11_
 
 The colors of the EventIDs in this page should be interpreted as follow:
 
@@ -12,569 +12,529 @@ The colors of the EventIDs in this page should be interpreted as follow:
 ## Rules x Effort Level x EventIDs x Event Providers
 | Rule Name | Effort Level | EventIDs | Event Providers |
 | --------- | ------------ | -------- | --------------- |
-| Net.exe User Account Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Search Order Hijacking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
-| CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Configuration Changed | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Windows Defender |
-| Data Compressed With Rar | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Webshell Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Sysmon |
-| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Csrss Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Malware Persistence Registry Key | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Correlation Multi Service Disable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Outlook Registry Access | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| xWizard Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| MS Office Product Spawning Exe in User Dir | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Registry Value Changed Via Windows Run Dialog | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Security-Auditing |
-| Remote Monitoring and Management Software - AnyDesk | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-DNS-Client |
-| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Stop Backup Services | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows Installer Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
+| DNS ServerLevelPluginDll Installation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| User Account Created | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
+| Smss Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Defender Deactivation Using PowerShell Script | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| DNS Query For Iplookup | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-DNS-Client |
+| Winlogon wrong parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Account Added To A Security Enabled Group | master | <span style="color:#D89462">4728</span> | Microsoft-Windows-Security-Auditing |
 | AD User Enumeration | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Web Application Launching Shell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Correlation Internal Kerberos Password Spraying | master | 4768 | Microsoft-Windows-Security-Auditing |
+| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
 | Computer Account Deleted | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743' style='color: inherit;'>4743</a></span> | Microsoft-Windows-Security-Auditing |
+| Spoolsv Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Multi Service Disable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| PowerView commandlets 2 | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| LSASS Access From Non System Account | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
 | Microsoft Defender Antivirus Exclusion Configuration | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
+| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
+| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
 | Putty Sessions Listing | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Spoolsv Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Taskhostw Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Shadow Copies | master | <span style="color:#D89462">4104</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Security-Auditing |
-| Remote Monitoring and Management Software - Atera | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Antivirus Relevant File Paths Alerts | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Elevated Shell Launched By Browser | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
-| Correlation Internal Ntlm Password Spraying | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| MS Office Product Spawning Exe in User Dir | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Cmd.exe Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
-| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
-| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Scheduled Task Creation By Non Privileged User | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Netsh Port Opening | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious New Printer Ports In Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| ISO LNK Infection Chain | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File |
-| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Windows Firewall Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disable Windows Defender Credential Guard | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
+| Failed Logon Followed By A Success From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| Opening Of a Password File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Compress Data for Exfiltration via Archiver | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Taskhost or Taskhostw Suspicious Child Found | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| User Account Created | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Svchost Wrong Parent | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Elevated Msiexec Via Repair Functionality | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| AMSI Deactivation Using Registry Key | master |  |  |
+| Winrshost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Web Request | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Kernel-Network |
 | Suspicious Microsoft Defender Antivirus Exclusion Command | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerView commandlets 2 | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
-| Credential Dumping-Tools Common Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Office Product Spawning Windows Shell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Admin User RDP Remote Logon | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Pandemic Windows Implant | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Relevant File Paths Alerts | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Creating Suspicious File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Access To Sensitive File Extensions | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
 | User Account Deleted | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726' style='color: inherit;'>4726</a> | Microsoft-Windows-Security-Auditing |
+| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
+| Narrator Feedback-Hub Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
+| Csrss Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Lsass Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Internal Kerberos Password Spraying | master | 4768 | Microsoft-Windows-Security-Auditing |
+| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Windows Sandbox Start | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Rebooting | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Powershell Suspicious Startup Shortcut Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File |
+| xWizard Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Wsmprovhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NjRat Registry Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Taskhostw Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Logonui Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| User Added to Local Administrators | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732' style='color: inherit;'>4732</a></span> | Microsoft-Windows-Security-Auditing |
+| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Execution From Suspicious Folder | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable Windows Defender Credential Guard | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| MMC Spawning Windows Shell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malware Persistence Registry Key | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Scheduled Task Creation By Non Privileged User | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Winlogon Helper DLL | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Wininit Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Stop Backup Services | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Searchprotocolhost Child Found | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Outlook Registry Access | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rebooting | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Dllhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Lsass Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Possible Replay Attack | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649' style='color: inherit;'>4649</a></span> | Microsoft-Windows-Security-Auditing |
-| Winrshost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Access To Sensitive File Extensions | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Smss Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Macro Security Registry Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Failed Logon Followed By A Success From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| Admin Share Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140' style='color: inherit;'>5140</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Searchprotocolhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Elevated Shell Launched By Browser | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Admin User RDP Remote Logon | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Pandemic Windows Implant | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Port Opening | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service |
+| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| ISO LNK Infection Chain | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File |
+| Remote Monitoring and Management Software - AnyDesk | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-DNS-Client |
+| Registry Value Changed Via Windows Run Dialog | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Security-Auditing |
+| Shadow Copies | master | <span style="color:#D89462">4104</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Security-Auditing |
+| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Account Removed From A Security Enabled Group | master | <span style="color:#D89462">4729</span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
-| Wsmprovhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Grabbing Sensitive Hives Via Reg Utility | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Powershell Winlogon Helper DLL | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| User Added to Local Administrators | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732' style='color: inherit;'>4732</a></span> | Microsoft-Windows-Security-Auditing |
+| Searchindexer Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Searchprotocolhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious New Printer Ports In Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Windows Suspicious Scheduled Task Creation | master | 4698 | Microsoft-Windows-Security-Auditing |
-| Microsoft Office Creating Suspicious File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Winlogon wrong parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| LSASS Access From Non System Account | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Remote Service Activity Via SVCCTL Named Pipe | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
 | Disable Security Events Logging Adding Reg Key MiniNt | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Grabbing Sensitive Hives Via Reg Utility | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Windows Firewall Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Macro Security Registry Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
+| Remote Monitoring and Management Software - Atera | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
+| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Web Application Launching Shell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Possible Replay Attack | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649' style='color: inherit;'>4649</a></span> | Microsoft-Windows-Security-Auditing |
+| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Configuration Changed | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Windows Defender |
+| Net.exe User Account Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Commonly Used Commands To Stop Services And Remove Backups | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Registry Persistence COM Search Order Hijacking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Windows Installer Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
+| Elevated Msiexec Via Repair Functionality | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Admin Share Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140' style='color: inherit;'>5140</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
 | Taskhost Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Powershell Suspicious Startup Shortcut Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File |
-| Powershell Web Request | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Kernel-Network |
-| Searchprotocolhost Child Found | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| DNS ServerLevelPluginDll Installation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Searchindexer Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MMC Spawning Windows Shell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Service Activity Via SVCCTL Named Pipe | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Compress Data for Exfiltration via Archiver | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
+| Correlation Internal Ntlm Password Spraying | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
 | PowerShell Malicious PowerShell Commandlets | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| AMSI Deactivation Using Registry Key | master |  |  |
-| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wininit Wrong Parent | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Query For Iplookup | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-DNS-Client |
-| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service |
-| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| NjRat Registry Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Windows Defender Deactivation Using PowerShell Script | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
-| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| Opening Of a Password File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Narrator Feedback-Hub Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows DNS Queries | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| PowerShell Suspicious Context Changes | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Certify Or Certipy | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| WerFaultSecure Abuse | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Lateral Movement Remote Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| HTML Smuggling Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| HackTools Suspicious Names | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
-| PowerShell Download From URL | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Capture a network trace with netsh.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Double Extension | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
-| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| BITSAdmin Download | advanced |  |  |
-| Adidnsdump Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
+| Webshell Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Sysmon |
+| Svchost Wrong Parent | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Credential Dumping-Tools Common Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
 | Remote System Discovery Via Telnet | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Logon Scripts (UserInitMprLogonScript) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| System Network Connections Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Tampering Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1127</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>2013</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5001</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5010</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5012</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5101</a></span> | Microsoft-Windows-Windows Defender |
-| Openfiles Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| OneNote Suspicious Children Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
 | Language Discovery | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| AccCheckConsole Executing Dll | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Suspicious Double Extension | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
+| Powershell AMSI Bypass | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Alternate PowerShell Hosts Pipe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Certify Or Certipy | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Disabled IE Security Features | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell UploadString Function | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Threat Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
+| Suspicious Regasm Regsvcs Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Netsh Allow Command | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exfiltration Via Pscp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Hiding Files With Attrib.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| AzureEdge in Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
-| Credentials Extraction | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Microsoft Windows Active Directory Module Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
-| NetSh Used To Disable Windows Firewall | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Non-Legitimate Executable Using AcceptEula Parameter | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
-| RDP Login From Localhost | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Control Panel Items | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Permission Discovery Via Wmic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmic Suspicious Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Unsigned Driver Loaded From Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious desktop.ini Action | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
+| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Regsvr32 Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Invocations - Generic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Usage Of Procdump With Common Arguments | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Correlation Admin Files Checked On Network Share | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| PowerShell NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
-| WMI Event Subscription | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>19</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>21</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Hostname | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
 | WiFi Credentials Harvesting Using Netsh | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| AD Object WriteDAC Access | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMImplant Hack Tool | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| WMIC Command To Determine The Antivirus | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Credential Harvesting Via Vaultcmd.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Adidnsdump Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
+| PowerShell NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| NetSh Used To Disable Windows Firewall | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Logon Scripts (UserInitMprLogonScript) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
 | Ntfsinfo Usage | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| FLTMC command usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Powershell UploadString Function | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| NlTest Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Netsh Program Allowed With Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
-| PowerView commandlets 1 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Compression Followed By Suppression | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| HTML Smuggling Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Credential Harvesting Via Vaultcmd.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Suspicious PROCEXP152.sys File Created In Tmp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Threat Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
-| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
-| Successful Overpass The Hash Attempt | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| PowerShell AMSI Deactivation Bypass Using .NET Reflection | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| System Network Connections Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Suspicious Context Changes | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | CreateRemoteThread Common Process Injection | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Microsoft-Windows-Sysmon |
-| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Command To Determine The Antivirus | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Remote Privileged Group Enumeration | advanced | 4799 | Microsoft-Windows-Security-Auditing |
+| Lateral Movement Remote Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Unsigned Image Loaded Into LSASS Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
+| Unsigned Driver Loaded From Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> | Microsoft-Windows-Sysmon |
+| NlTest Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
 | PowerShell Commands Invocation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| RDP Configuration File From Mail Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File |
-| AccCheckConsole Executing Dll | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Domain Group And Permission Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious desktop.ini Action | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Csrss Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Regasm Regsvcs Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disabled IE Security Features | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | PowerShell Credential Prompt | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| AutoIt3 Execution From Suspicious Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
 | Component Object Model Hijacking | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>23</a></span> | Microsoft-Windows-Kernel-File |
-| Unsigned Image Loaded Into LSASS Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| OneNote Suspicious Children Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Tampering Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1127</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>2013</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5001</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5010</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5012</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5101</a></span> | Microsoft-Windows-Windows Defender |
+| Capture a network trace with netsh.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Dism Disabling Windows Defender | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Control Panel Items | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PowerView commandlets 1 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Csrss Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Windows Active Directory Module Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| VSCode Tunnel Shell Exec | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Credentials Extraction | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Credential Dump Tools Related Files | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
-| Compression Followed By Suppression | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
-| Powershell AMSI Bypass | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| PowerShell Download From URL | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious Hostname | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
 | Microsoft IIS Module Installation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Svchost Modification | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Dism Disabling Windows Defender | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Suspicious Windows DNS Queries | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| PowerShell AMSI Deactivation Bypass Using .NET Reflection | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Adexplorer Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Change Default File Association | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| VSCode Tunnel Shell Exec | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Remote Privileged Group Enumeration | advanced | 4799 |  |
-| MOFComp Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| BazarLoader Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Rundll32.exe Executions | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Mshta Execution From Wmi | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Correlation Post Exploitation Patterns Via Winrm | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Microsoft Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Reconnaissance Commands Activities | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| COM Hijack Via Sdclt | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| SolarWinds Wrong Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Comsvcs | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh Port Forwarding | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerCat Function Loading | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Correlation Supicious Powershell Drop and Exec | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File, Microsoft-Windows-Kernel-Network |
-| Njrat Registry Values | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| WMImplant Hack Tool | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Suspicious PowerShell Invocations - Generic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AzureEdge in Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Permission Discovery Via Wmic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| AD Object WriteDAC Access | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Hiding Files With Attrib.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| BITSAdmin Download | advanced |  |  |
+| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Usage Of Procdump With Common Arguments | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Wmic Suspicious Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| FLTMC command usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Non-Legitimate Executable Using AcceptEula Parameter | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
+| WMI Event Subscription | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>19</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>21</a></span> | Microsoft-Windows-Sysmon |
+| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
+| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
+| WerFaultSecure Abuse | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| RDP Configuration File From Mail Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File |
+| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
+| RDP Login From Localhost | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Openfiles Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Correlation Admin Files Checked On Network Share | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
+| AutoIt3 Execution From Suspicious Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
+| Domain Group And Permission Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Svchost Modification | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Program Allowed With Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
+| Successful Overpass The Hash Attempt | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Suspicious DNS Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Transferring Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DHCP Callout DLL Installation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Netscan Share Access Artefact | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious CodePage Switch with CHCP | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| XSL Script Processing And SquiblyTwo Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Execution Via Rundll32 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Werfault DLL Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| JS PowerShell Infection Chains | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Suspicious SAM Dump | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>16</a></span> | Microsoft-Windows-Kernel-General |
-| Remote Enumeration Of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
+| Windows Suspicious Service Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
 | Cobalt Strike Default Beacons Names | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Screenconnect Remote Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Commands From MS SQL Server Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Copy Of Legitimate System32 Executable | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Replication User Backdoor | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Eventlog Cleared | intermediate | 517, <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102' style='color: inherit;'>1102</a> | Microsoft-Windows-Eventlog |
+| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Spawning Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| SolarWinds Wrong Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Mshta Suspicious Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious CommandLine Lsassy Pattern | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
+| BazarLoader Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | WCE wceaux.dll Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File |
-| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| RDP Port Change Using Powershell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Screenconnect Remote Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Cmd File Copy Command To Network Share | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File |
+| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1034 | Microsoft-Windows-DHCP-Server |
+| Mshta Command From A Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Transferring Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | Microsoft-Windows-DHCP-Server |
+| Process Memory Dump Using Comsvcs | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| SOCKS Tunneling Tool | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
+| ETW Tampering | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Rare Lsass Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Suspicious Service Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
-| CMSTP UAC Bypass via COM Object Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Python HTTP Server | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span>, 4781 | Microsoft-Windows-Security-Auditing |
+| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
+| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Suspicious Mshta Execution From Wmi | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Post Exploitation Patterns Via Winrm | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Reconnaissance Commands Activities | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| TrustedInstaller Impersonation | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Njrat Registry Values | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| XSL Script Processing And SquiblyTwo Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Priv Esc Via Remote Thread | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span>, 4703 | Kernel-Process, Microsoft-Windows-Kernel-Process, Microsoft-Windows-Security-Auditing |
+| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Driver Loaded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus Disabled Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| HackTools Suspicious Process Names In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
+| Powershell Web Request And Windows Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
 | Detection of default Mimikatz banner | intermediate | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious CodePage Switch with CHCP | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| DLL Load via LSASS Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Suspicious Authentication Coercer Behavior | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Venom Multi-hop Proxy agent detection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Active Directory Replication User Backdoor | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Exchange Mailbox Export | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span>, 4781 | Microsoft-Windows-Security-Auditing |
+| CMSTP Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
+| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious Kerberos Ticket | intermediate | 4768 | Microsoft-Windows-Security-Auditing |
+| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Audio Capture via PowerShell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
+| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Python HTTP Server | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| COM Hijack Via Sdclt | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | SquirrelWaffle Malspam Execution Loading DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Mshta Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| MOFComp Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Rundll32.exe Executions | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| UAC Bypass via Event Viewer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
 | Qakbot Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Mshta Suspicious Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Correlation Priv Esc Via Remote Thread | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span>, 4703 | Kernel-Process, Microsoft-Windows-Kernel-Process, Microsoft-Windows-Security-Auditing |
-| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
-| Suspicious CommandLine Lsassy Pattern | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Suspicious Commands From MS SQL Server Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server |
-| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
 | TUN/TAP Driver Installation | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Malicious Named Pipe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| UAC Bypass via Event Viewer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Powershell Web Request And Windows Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| ETW Tampering | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
-| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
+| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
 | Suspicious DLL side loading from ProgramData | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Spawning Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| JS PowerShell Infection Chains | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
-| SOCKS Tunneling Tool | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Mailbox Export | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Correlation PowerShell Suspicious DLL Loading | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-PowerShell |
+| CMSTP UAC Bypass via COM Object Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PowerCat Function Loading | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Netsh RDP Port Opening | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Werfault DLL Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| PowerShell Execution Via Rundll32 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Audio Capture via PowerShell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Correlation Supicious Powershell Drop and Exec | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File, Microsoft-Windows-Kernel-Network |
 | MavInject Process Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| HackTools Suspicious Process Names In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| TrustedInstaller Impersonation | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DHCP Callout DLL Installation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Correlation PowerShell Suspicious DLL Loading | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-PowerShell |
-| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RDP Port Change Using Powershell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Evil Winrm Modules Execution | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Mshta Command From A Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Correlation Suspicious Authentication Coercer Behavior | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
 | SolarWinds Suspicious File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Copy Of Legitimate System32 Executable | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| CMSTP Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| LSASS Memory Dump File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Driver Loaded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious certutil command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
-| DLL Load via LSASS Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Kerberos Ticket | intermediate | 4768 | Microsoft-Windows-Security-Auditing |
-| DHCP Server Loaded the CallOut DLL | intermediate | 1033 |  |
-| Disable Workstation Lock | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
+| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
 | LanManServer Registry Modify | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Active Directory Data Export Using Csvde | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Suspicious Hangul Word Processor Child Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Tactical RMM Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Debugging Software Deactivation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704' style='color: inherit;'>4704</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Kerberos Pre-Auth Disabled in UAC | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
-| Antivirus Exploitation Framework Detection | elementary | 1011, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Wdigest Enable UseLogonCredential | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
-| Schtasks Persistence With High Privileges | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Leviathan Registry Key Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| SysKey Registry Keys Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
+| Suspicious Hangul Word Processor Child Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exploit For CVE-2015-1641 | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Office Application Startup Office Test | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
-| Disabling SmartScreen Via Registry | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Sigma Intelligence ErrTraffic PowerShell Command Line | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus History Directory Deleted | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Winword Document Droppers | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | RedMimicry Winnti Playbook Dropped File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
 | Phosphorus (APT35) Exchange Discovery | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Impacket Wmiexec Module | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Suspicious Certificate Request-adcs Abuse | elementary | 4886, 4887 | Microsoft-Windows-Security-Auditing |
+| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disabling SmartScreen Via Registry | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Correlation Impacket Smbexec | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
 | Invoke-TheHash Commandlets | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Elise Backdoor | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
+| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
+| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
 | Windows Defender Logging Modification Via Registry | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
 | Ursnif Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Impacket Wmiexec Module | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Winword Document Droppers | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| ICacls Granting Access To All | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Blue Mockingbird Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exploited CVE-2020-10189 Zoho ManageEngine | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704' style='color: inherit;'>4704</a></span> | Microsoft-Windows-Security-Auditing |
+| Disable Workstation Lock | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
+| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| Office Application Startup Office Test | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Netsh DLL Persistence | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Debugging Software Deactivation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Exploitation Framework Detection | elementary | 1011, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Empire Monkey Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Schtasks Persistence With High Privileges | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Kerberos Pre-Auth Disabled in UAC | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
+| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
+| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
+| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Enabling Restricted Admin Mode | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Phorpiex Process Masquerading | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Elise Backdoor | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Sticky Key Like Backdoor Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Dumpert LSASS Process Dumper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Correlation Impacket Smbexec | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| SysKey Registry Keys Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
 | AdFind Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Dumpert LSASS Process Dumper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Sigma Intelligence ErrTraffic PowerShell Command Line | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Active Directory Shadow Credentials | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
 | Windows Update LolBins | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| Microsoft Defender Antivirus History Directory Deleted | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Netsh DLL Persistence | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Enabling Restricted Admin Mode | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | WMI Install Of Binary | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Phorpiex Process Masquerading | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Suspicious Certificate Request-adcs Abuse | elementary | 4886, 4887 | Microsoft-Windows-Security-Auditing |
-| Active Directory Shadow Credentials | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Blue Mockingbird Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
 | Disable Task Manager Through Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| ICacls Granting Access To All | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Data Export Using Csvde | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Leviathan Registry Key Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Tactical RMM Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 
 ## EventIDs occurrences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 480) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 478) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 236 | 49.17 % |
-| 13 | 52 | 10.83 % |
-| 4104 | 48 | 10.0 % |
-| 5 | 35 | 7.29 % |
-| 11 | 27 | 5.62 % |
-| 7 | 15 | 3.12 % |
-| 5145 | 15 | 3.12 % |
-| 7045 | 11 | 2.29 % |
-| 4688 | 10 | 2.08 % |
+| 1 | 236 | 49.37 % |
+| 13 | 52 | 10.88 % |
+| 4104 | 48 | 10.04 % |
+| 5 | 35 | 7.32 % |
+| 11 | 27 | 5.65 % |
+| 7 | 15 | 3.14 % |
+| 5145 | 15 | 3.14 % |
+| 7045 | 11 | 2.3 % |
+| 4688 | 10 | 2.09 % |
 | 4656 | 8 | 1.67 % |
 | 4697 | 7 | 1.46 % |
 | 15 | 7 | 1.46 % |
-| 4663 | 6 | 1.25 % |
-| 17 | 6 | 1.25 % |
-| 4662 | 6 | 1.25 % |
-| 4624 | 6 | 1.25 % |
-| 5136 | 6 | 1.25 % |
-| 10 | 6 | 1.25 % |
-| 1116 | 5 | 1.04 % |
-| 3 | 4 | 0.83 % |
-| 4625 | 4 | 0.83 % |
-| 22 | 3 | 0.62 % |
-| 4720 | 3 | 0.62 % |
-| 4103 | 3 | 0.62 % |
-| 8 | 3 | 0.62 % |
+| 17 | 6 | 1.26 % |
+| 4662 | 6 | 1.26 % |
+| 4663 | 6 | 1.26 % |
+| 5136 | 6 | 1.26 % |
+| 10 | 6 | 1.26 % |
+| 4624 | 6 | 1.26 % |
+| 1116 | 5 | 1.05 % |
+| 3 | 4 | 0.84 % |
+| 4625 | 4 | 0.84 % |
+| 4720 | 3 | 0.63 % |
+| 22 | 3 | 0.63 % |
+| 4103 | 3 | 0.63 % |
+| 8 | 3 | 0.63 % |
+| 25 | 2 | 0.42 % |
+| 4728 | 2 | 0.42 % |
+| 6 | 2 | 0.42 % |
 | 5007 | 2 | 0.42 % |
+| 20 | 2 | 0.42 % |
+| 4729 | 2 | 0.42 % |
 | 4657 | 2 | 0.42 % |
-| 4738 | 2 | 0.42 % |
-| 4728 | 2 | 0.42 % |
 | 4768 | 2 | 0.42 % |
-| 4799 | 2 | 0.42 % |
-| 4729 | 2 | 0.42 % |
 | 12 | 2 | 0.42 % |
-| 6 | 2 | 0.42 % |
-| 20 | 2 | 0.42 % |
-| 1033 | 2 | 0.42 % |
-| 25 | 2 | 0.42 % |
-| 4674 | 1 | 0.21 % |
-| 4704 | 1 | 0.21 % |
-| 4776 | 1 | 0.21 % |
-| 1011 | 1 | 0.21 % |
-| 1127 | 1 | 0.21 % |
-| 5001 | 1 | 0.21 % |
-| 5101 | 1 | 0.21 % |
-| 5010 | 1 | 0.21 % |
-| 5012 | 1 | 0.21 % |
-| 2013 | 1 | 0.21 % |
-| 4743 | 1 | 0.21 % |
+| 4738 | 2 | 0.42 % |
+| 4661 | 1 | 0.21 % |
 | 16 | 1 | 0.21 % |
-| 4706 | 1 | 0.21 % |
-| 4707 | 1 | 0.21 % |
-| 517 | 1 | 0.21 % |
-| 1102 | 1 | 0.21 % |
 | 8001 | 1 | 0.21 % |
-| 4754 | 1 | 0.21 % |
-| 4756 | 1 | 0.21 % |
-| 4757 | 1 | 0.21 % |
-| 4758 | 1 | 0.21 % |
-| 4727 | 1 | 0.21 % |
-| 4730 | 1 | 0.21 % |
-| 4764 | 1 | 0.21 % |
-| 524 | 1 | 0.21 % |
-| 4781 | 1 | 0.21 % |
-| 5154 | 1 | 0.21 % |
-| 19 | 1 | 0.21 % |
-| 21 | 1 | 0.21 % |
-| 325 | 1 | 0.21 % |
-| 4703 | 1 | 0.21 % |
-| 4661 | 1 | 0.21 % |
-| 1000 | 1 | 0.21 % |
-| 1032 | 1 | 0.21 % |
-| 1034 | 1 | 0.21 % |
-| 1031 | 1 | 0.21 % |
-| 4726 | 1 | 0.21 % |
-| 4649 | 1 | 0.21 % |
-| 4825 | 1 | 0.21 % |
-| 4741 | 1 | 0.21 % |
-| 6416 | 1 | 0.21 % |
-| 4742 | 1 | 0.21 % |
+| 4743 | 1 | 0.21 % |
+| 4886 | 1 | 0.21 % |
+| 4887 | 1 | 0.21 % |
 | 1125 | 1 | 0.21 % |
 | 1126 | 1 | 0.21 % |
 | 1006 | 1 | 0.21 % |
@@ -584,50 +544,88 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 1117 | 1 | 0.21 % |
 | 1118 | 1 | 0.21 % |
 | 1119 | 1 | 0.21 % |
-| 5140 | 1 | 0.21 % |
-| 1013 | 1 | 0.21 % |
-| 4658 | 1 | 0.21 % |
-| 4732 | 1 | 0.21 % |
-| 4698 | 1 | 0.21 % |
+| 4674 | 1 | 0.21 % |
+| 517 | 1 | 0.21 % |
+| 1102 | 1 | 0.21 % |
+| 1032 | 1 | 0.21 % |
+| 1034 | 1 | 0.21 % |
+| 1031 | 1 | 0.21 % |
+| 1033 | 1 | 0.21 % |
+| 4704 | 1 | 0.21 % |
+| 1000 | 1 | 0.21 % |
+| 4799 | 1 | 0.21 % |
+| 325 | 1 | 0.21 % |
+| 4726 | 1 | 0.21 % |
+| 4754 | 1 | 0.21 % |
+| 4756 | 1 | 0.21 % |
+| 4757 | 1 | 0.21 % |
+| 4758 | 1 | 0.21 % |
+| 4727 | 1 | 0.21 % |
+| 4730 | 1 | 0.21 % |
+| 4764 | 1 | 0.21 % |
 | 4611 | 1 | 0.21 % |
+| 1011 | 1 | 0.21 % |
+| 4703 | 1 | 0.21 % |
 | 23 | 1 | 0.21 % |
-| 4886 | 1 | 0.21 % |
-| 4887 | 1 | 0.21 % |
+| 1127 | 1 | 0.21 % |
+| 5001 | 1 | 0.21 % |
+| 5101 | 1 | 0.21 % |
+| 5010 | 1 | 0.21 % |
+| 5012 | 1 | 0.21 % |
+| 2013 | 1 | 0.21 % |
+| 4741 | 1 | 0.21 % |
+| 4732 | 1 | 0.21 % |
+| 4658 | 1 | 0.21 % |
+| 4781 | 1 | 0.21 % |
 | 4794 | 1 | 0.21 % |
+| 4825 | 1 | 0.21 % |
+| 4742 | 1 | 0.21 % |
 | 770 | 1 | 0.21 % |
 | 771 | 1 | 0.21 % |
 | 150 | 1 | 0.21 % |
+| 4698 | 1 | 0.21 % |
+| 19 | 1 | 0.21 % |
+| 21 | 1 | 0.21 % |
+| 4706 | 1 | 0.21 % |
+| 4707 | 1 | 0.21 % |
+| 1013 | 1 | 0.21 % |
+| 5154 | 1 | 0.21 % |
+| 4649 | 1 | 0.21 % |
 | 5156 | 1 | 0.21 % |
+| 4776 | 1 | 0.21 % |
 | 4673 | 1 | 0.21 % |
+| 5140 | 1 | 0.21 % |
+| 524 | 1 | 0.21 % |
+| 6416 | 1 | 0.21 % |
 
 ## EventProviders occurrences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 480) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 478) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 288 | 60.0 % |
-| Microsoft-Windows-Security-Auditing | 87 | 18.12 % |
-| Kernel-Process | 65 | 13.54 % |
-| Microsoft-Windows-PowerShell | 52 | 10.83 % |
-| Service Control Manager | 11 | 2.29 % |
-| Microsoft-Windows-Kernel-File | 10 | 2.08 % |
+| Microsoft-Windows-Sysmon | 287 | 60.04 % |
+| Microsoft-Windows-Security-Auditing | 87 | 18.2 % |
+| Kernel-Process | 65 | 13.6 % |
+| Microsoft-Windows-PowerShell | 52 | 10.88 % |
+| Service Control Manager | 11 | 2.3 % |
+| Microsoft-Windows-Kernel-File | 10 | 2.09 % |
 | Microsoft-Windows-Windows Defender | 9 | 1.88 % |
 | Microsoft-Windows-DNS-Client | 2 | 0.42 % |
+| Microsoft-Windows-DHCP-Server | 2 | 0.42 % |
 | Microsoft-Windows-Kernel-Network | 2 | 0.42 % |
 | Microsoft-Windows-Kernel-Process | 2 | 0.42 % |
-| Microsoft-REDACTED-Security-Auditing | 1 | 0.21 % |
 | Microsoft-Windows-Kernel-General | 1 | 0.21 % |
-| Microsoft-Windows-Audit-CVE | 1 | 0.21 % |
-| Microsoft-Windows-Eventlog | 1 | 0.21 % |
 | Microsoft-Windows-NTLM | 1 | 0.21 % |
-| Microsoft-Windows-Backup | 1 | 0.21 % |
-| ESENT | 1 | 0.21 % |
+| Microsoft-REDACTED-Security-Auditing | 1 | 0.21 % |
+| Microsoft-Windows-Eventlog | 1 | 0.21 % |
 | Application Error | 1 | 0.21 % |
-| Microsoft-Windows-DHCP-Server | 1 | 0.21 % |
+| ESENT | 1 | 0.21 % |
+| Microsoft-Windows-Audit-CVE | 1 | 0.21 % |
 | Microsoft-Windows-DNS-Server-Service | 1 | 0.21 % |
+| Microsoft-Windows-Backup | 1 | 0.21 % |
 
 ## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 480 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 478 |
 | ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | , 1, 10, 1013, 11, 1116, 12, 13, 150, 17, 22, 25, 3, 4104, 4611, 4624, 4625, 4649, 4656, 4657, 4661, 4662, 4663, 4673, 4674, 4688, 4698, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 4768, 5, 5007, 5140, 5145, 7, 770, 771, 8001 | 125 | 26.04 % |
-| advanced | , 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5145, 5154, 5156, 6, 6416, 7, 7045, 8 | 115 | 23.96 % |
-| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 12, 13, 15, 16, 17, 20, 3, 4103, 4104, 4624, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 4703, 4720, 4738, 4741, 4742, 4768, 4781, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 7, 7045, 8 | 154 | 32.08 % |
-| elementary | 1, 10, 1011, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 4738, 4886, 4887, 5, 5136, 5145, 6, 7, 7045 | 86 | 17.92 % |
\ No newline at end of file
+| master | , 1, 10, 1013, 11, 1116, 12, 13, 150, 17, 22, 25, 3, 4104, 4611, 4624, 4625, 4649, 4656, 4657, 4661, 4662, 4663, 4673, 4674, 4688, 4698, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 4768, 5, 5007, 5140, 5145, 7, 770, 771, 8001 | 124 | 25.94 % |
+| advanced | , 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5145, 5154, 5156, 6, 6416, 7, 7045, 8 | 114 | 23.85 % |
+| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 12, 13, 15, 16, 17, 20, 3, 4103, 4104, 4624, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 4703, 4720, 4738, 4741, 4742, 4768, 4781, 4794, 4825, 5, 5136, 5145, 517, 524, 7, 7045, 8 | 154 | 32.22 % |
+| elementary | 1, 10, 1011, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 4738, 4886, 4887, 5, 5136, 5145, 6, 7, 7045 | 86 | 17.99 % |
\ No newline at end of file