security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2022-12-27 11:58:53 +01:00
parent 65f92dcd47 2d759cad94
commit 0cd5eb375d
368 changed files with 4899 additions and 1474 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
+2
View File
@@ -44,3 +44,5 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe
37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer
c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer
1 RuleId RuleName MatchString
44 52a85084-6989-40c3-8f32-091e12e17692 Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 Computer: Agamemnon
45 573df571-a223-43bc-846e-3f98da481eca Copy a File Downloaded From Internet 7z\.exe
46 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 Image Load of VSS Dll by Uncommon Executable SetupFrontEnd\.exe
47 1a31b18a-f00c-4061-9900-f735b96c99fc Remote Access Tool Services Have Been Installed - System ServiceName: TeamViewer
48 c8b00925-926c-47e3-beea-298fd563728e Remote Access Tool Services Have Been Installed - Security ServiceName: TeamViewer
.github/workflows/sigma-test.yml
+3 -3
View File
@@ -22,13 +22,13 @@ jobs:
- uses: actions/checkout@v2
with:
submodules: true
- name: Set up Python 3.8
- name: Set up Python 3.11
uses: actions/setup-python@v1
with:
python-version: 3.8
python-version: 3.11
- name: Install dependencies
run: |
pip install sigma-cli~=0.3.2
pip install sigma-cli~=0.5.3
- name: Test Sigma Rule Syntax
run: |
sigma check rules
LICENSE
+2 -2
View File
@@ -3,5 +3,5 @@
The content of this repository is released under the following licenses:
- The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License
- The Sigma specification and the Sigma logo are public domain
- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1
- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the Detection Rule License (DRL) 1.1
Pipfile.lock
Generated
+608 -290
View File
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68"
"sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8"
},
"pipfile-spec": 6,
"requires": {
@@ -18,42 +18,43 @@
"default": {
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"deprecated": {
"hashes": [
"sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
"sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
"sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d",
"sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.2.12"
"version": "==1.2.13"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"jsonschema": {
"hashes": [
@@ -80,30 +81,31 @@
},
"pyrsistent": {
"hashes": [
"sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
"sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7",
"sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea",
"sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426",
"sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710",
"sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1",
"sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396",
"sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2",
"sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680",
"sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35",
"sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427",
"sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b",
"sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b",
"sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f",
"sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef",
"sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c",
"sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4",
"sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d",
"sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78",
"sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b",
"sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72"
"sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed",
"sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb",
"sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a",
"sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95",
"sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712",
"sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73",
"sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41",
"sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b",
"sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78",
"sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab",
"sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308",
"sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425",
"sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2",
"sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e",
"sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6",
"sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2",
"sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a",
"sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291",
"sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584",
"sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a",
"sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0",
"sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770"
],
"markers": "python_version >= '3.6'",
"version": "==0.18.0"
"markers": "python_version >= '3.7'",
"version": "==0.19.2"
},
"python-dateutil": {
"hashes": [
@@ -115,10 +117,11 @@
},
"python-utils": {
"hashes": [
"sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208",
"sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349"
"sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592",
"sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a"
],
"version": "==2.5.6"
"markers": "python_version >= '3.7'",
"version": "==3.4.5"
},
"pyyaml": {
"hashes": [
@@ -165,38 +168,59 @@
},
"ruamel.yaml": {
"hashes": [
"sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67",
"sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815"
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"index": "pypi",
"version": "==0.17.10"
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
"sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e",
"sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3",
"sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5",
"sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497",
"sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f",
"sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac",
"sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697",
"sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763",
"sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282",
"sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94",
"sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1",
"sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072",
"sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9",
"sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5",
"sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231",
"sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93",
"sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b",
"sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb",
"sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f",
"sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307",
"sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8",
"sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b",
"sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b",
"sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640",
"sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7",
"sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a",
"sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71",
"sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8",
"sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7",
"sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80",
"sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e",
"sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab",
"sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0",
"sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646"
],
"markers": "python_version < '3.10' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.7"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"six": {
"hashes": [
@@ -206,6 +230,14 @@
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"termcolor": {
"hashes": [
"sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b",
"sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd"
],
"index": "pypi",
"version": "==2.1.1"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -216,69 +248,191 @@
},
"wrapt": {
"hashes": [
"sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
"sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3",
"sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b",
"sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4",
"sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2",
"sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656",
"sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3",
"sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff",
"sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310",
"sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a",
"sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57",
"sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069",
"sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383",
"sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe",
"sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87",
"sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d",
"sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b",
"sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907",
"sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f",
"sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0",
"sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28",
"sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1",
"sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853",
"sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc",
"sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3",
"sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3",
"sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164",
"sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1",
"sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c",
"sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1",
"sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7",
"sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1",
"sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320",
"sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed",
"sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1",
"sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248",
"sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c",
"sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456",
"sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77",
"sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef",
"sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1",
"sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7",
"sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86",
"sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4",
"sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d",
"sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d",
"sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8",
"sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5",
"sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471",
"sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00",
"sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68",
"sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3",
"sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d",
"sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735",
"sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d",
"sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569",
"sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7",
"sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59",
"sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5",
"sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb",
"sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b",
"sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f",
"sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462",
"sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015",
"sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af"
],
"version": "==1.12.1"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.14.1"
}
},
"develop": {
"aiohttp": {
"hashes": [
"sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
"sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
"sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
"sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
"sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
"sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
"sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
"sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
"sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
"sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
"sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
"sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
"sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
"sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
"sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
"sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
"sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
"sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
"sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
"sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
"sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
"sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
"sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
"sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
"sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
"sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
"sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
"sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
"sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
"sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
"sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
"sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
"sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
"sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
"sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
"sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
"sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
"sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8",
"sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142",
"sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18",
"sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34",
"sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a",
"sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033",
"sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06",
"sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4",
"sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d",
"sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b",
"sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc",
"sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091",
"sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d",
"sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85",
"sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb",
"sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937",
"sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf",
"sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1",
"sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b",
"sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d",
"sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269",
"sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da",
"sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346",
"sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494",
"sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697",
"sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4",
"sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585",
"sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c",
"sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da",
"sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad",
"sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2",
"sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6",
"sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c",
"sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849",
"sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa",
"sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b",
"sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb",
"sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7",
"sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715",
"sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76",
"sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d",
"sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276",
"sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6",
"sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37",
"sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb",
"sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d",
"sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c",
"sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446",
"sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008",
"sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342",
"sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d",
"sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7",
"sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061",
"sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba",
"sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7",
"sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290",
"sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0",
"sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d",
"sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8",
"sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f",
"sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48",
"sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502",
"sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62",
"sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9",
"sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403",
"sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77",
"sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476",
"sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e",
"sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96",
"sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5",
"sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784",
"sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091",
"sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b",
"sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97",
"sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a",
"sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2",
"sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9",
"sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d",
"sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73",
"sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017",
"sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363",
"sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c",
"sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d",
"sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618",
"sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491",
"sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b",
"sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca"
],
"markers": "python_version >= '3.6'",
"version": "==3.7.4.post0"
"version": "==3.8.3"
},
"aiosignal": {
"hashes": [
"sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc",
"sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.1"
},
"antlr4-python3-runtime": {
"hashes": [
"sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
"sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b"
],
"markers": "python_version >= '3'",
"version": "==4.8"
"version": "==4.9.3"
},
"async-timeout": {
"hashes": [
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
"sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15",
"sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c"
],
"markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
"markers": "python_version >= '3.6'",
"version": "==4.0.2"
},
"attackcti": {
"hashes": [
@@ -290,34 +444,27 @@
},
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"colorama": {
"hashes": [
@@ -401,79 +548,197 @@
"index": "pypi",
"version": "==6.2.0"
},
"frozenlist": {
"hashes": [
"sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c",
"sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f",
"sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a",
"sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784",
"sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27",
"sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d",
"sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3",
"sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678",
"sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a",
"sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483",
"sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8",
"sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf",
"sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99",
"sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c",
"sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48",
"sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5",
"sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56",
"sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e",
"sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1",
"sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401",
"sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4",
"sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e",
"sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649",
"sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a",
"sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d",
"sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0",
"sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6",
"sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d",
"sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b",
"sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6",
"sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf",
"sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef",
"sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7",
"sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842",
"sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba",
"sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420",
"sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b",
"sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d",
"sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332",
"sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936",
"sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816",
"sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91",
"sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420",
"sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448",
"sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411",
"sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4",
"sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32",
"sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b",
"sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0",
"sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530",
"sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669",
"sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7",
"sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1",
"sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5",
"sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce",
"sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4",
"sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e",
"sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2",
"sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d",
"sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9",
"sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642",
"sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0",
"sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703",
"sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb",
"sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1",
"sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13",
"sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab",
"sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38",
"sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb",
"sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb",
"sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81",
"sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8",
"sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd",
"sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.3"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"more-itertools": {
"hashes": [
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
"sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41",
"sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab"
],
"markers": "python_version >= '3.5'",
"version": "==8.8.0"
"markers": "python_version >= '3.7'",
"version": "==9.0.0"
},
"multidict": {
"hashes": [
"sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a",
"sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93",
"sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632",
"sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656",
"sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79",
"sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7",
"sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d",
"sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5",
"sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224",
"sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26",
"sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea",
"sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348",
"sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6",
"sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76",
"sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1",
"sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f",
"sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952",
"sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a",
"sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37",
"sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9",
"sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359",
"sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8",
"sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da",
"sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3",
"sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d",
"sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf",
"sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841",
"sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d",
"sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93",
"sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f",
"sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647",
"sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635",
"sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456",
"sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda",
"sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5",
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
"sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce",
"sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce",
"sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57",
"sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335",
"sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38",
"sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2",
"sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a",
"sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418",
"sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d",
"sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c",
"sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30",
"sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852",
"sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718",
"sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614",
"sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b",
"sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e",
"sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4",
"sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c",
"sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3",
"sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d",
"sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45",
"sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89",
"sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f",
"sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827",
"sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6",
"sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51",
"sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69",
"sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba",
"sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91",
"sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131",
"sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37",
"sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd",
"sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46",
"sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0",
"sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd",
"sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d",
"sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee",
"sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531",
"sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d",
"sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7",
"sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c",
"sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a",
"sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08",
"sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e",
"sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759",
"sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986",
"sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a",
"sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d",
"sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64",
"sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116",
"sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7",
"sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d",
"sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9",
"sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea",
"sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303",
"sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102",
"sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38",
"sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef",
"sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a",
"sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438",
"sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3",
"sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9",
"sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f",
"sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0",
"sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022",
"sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2",
"sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67",
"sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11",
"sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734",
"sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945",
"sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb",
"sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000",
"sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253",
"sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544"
],
"markers": "python_version >= '3.6'",
"version": "==5.1.0"
"markers": "python_version >= '3.7'",
"version": "==6.0.3"
},
"packaging": {
"hashes": [
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
"sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3",
"sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3"
],
"markers": "python_version >= '3.6'",
"version": "==21.0"
"markers": "python_version >= '3.7'",
"version": "==22.0"
},
"pathspec": {
"hashes": [
"sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a",
"sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"
"sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5",
"sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0"
],
"version": "==0.9.0"
"markers": "python_version >= '3.7'",
"version": "==0.10.2"
},
"pluggy": {
"hashes": [
@@ -485,19 +750,11 @@
},
"py": {
"hashes": [
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
"sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719",
"sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.11.0"
},
"pytest": {
"hashes": [
@@ -509,10 +766,10 @@
},
"pytz": {
"hashes": [
"sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
"sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
"sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427",
"sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2"
],
"version": "==2021.1"
"version": "==2022.6"
},
"pyyaml": {
"hashes": [
@@ -557,49 +814,80 @@
"index": "pypi",
"version": "==2.26.0"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"simplejson": {
"hashes": [
"sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7",
"sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085",
"sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb",
"sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476",
"sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473",
"sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e",
"sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c",
"sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732",
"sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b",
"sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34",
"sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586",
"sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da",
"sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34",
"sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564",
"sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e",
"sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926",
"sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e",
"sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08",
"sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e",
"sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c",
"sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999",
"sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e",
"sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314",
"sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95",
"sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277",
"sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda",
"sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61",
"sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640",
"sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e",
"sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee",
"sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86",
"sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98",
"sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616",
"sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b",
"sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c",
"sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc",
"sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858",
"sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec"
"sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e",
"sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840",
"sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76",
"sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea",
"sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342",
"sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7",
"sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a",
"sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1",
"sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0",
"sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7",
"sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15",
"sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce",
"sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e",
"sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf",
"sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710",
"sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2",
"sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b",
"sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986",
"sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac",
"sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871",
"sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710",
"sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31",
"sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b",
"sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387",
"sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6",
"sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83",
"sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea",
"sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a",
"sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5",
"sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a",
"sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688",
"sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99",
"sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e",
"sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe",
"sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673",
"sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67",
"sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39",
"sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e",
"sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43",
"sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4",
"sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d",
"sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430",
"sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac",
"sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4",
"sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b",
"sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266",
"sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f",
"sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b",
"sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73",
"sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df",
"sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22",
"sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29",
"sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51",
"sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d",
"sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa",
"sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3",
"sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce",
"sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059",
"sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6",
"sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619",
"sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb"
],
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.3"
"version": "==3.18.0"
},
"six": {
"hashes": [
@@ -618,10 +906,11 @@
},
"stix2-patterns": {
"hashes": [
"sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
"sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
"sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08",
"sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458"
],
"version": "==1.3.2"
"markers": "python_version >= '3.6'",
"version": "==2.0.0"
},
"taxii2-client": {
"hashes": [
@@ -630,14 +919,6 @@
],
"version": "==2.3.0"
},
"typing-extensions": {
"hashes": [
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -662,46 +943,83 @@
},
"yarl": {
"hashes": [
"sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e",
"sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434",
"sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366",
"sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3",
"sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec",
"sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959",
"sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e",
"sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c",
"sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6",
"sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a",
"sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6",
"sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424",
"sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e",
"sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f",
"sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50",
"sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2",
"sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc",
"sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4",
"sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970",
"sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10",
"sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0",
"sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406",
"sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896",
"sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643",
"sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721",
"sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478",
"sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724",
"sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e",
"sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8",
"sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96",
"sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25",
"sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76",
"sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2",
"sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2",
"sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c",
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
"sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87",
"sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89",
"sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a",
"sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08",
"sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996",
"sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077",
"sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901",
"sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e",
"sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee",
"sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574",
"sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165",
"sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634",
"sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229",
"sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b",
"sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f",
"sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7",
"sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf",
"sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89",
"sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0",
"sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1",
"sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe",
"sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf",
"sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76",
"sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951",
"sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863",
"sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06",
"sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562",
"sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6",
"sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c",
"sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e",
"sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1",
"sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3",
"sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3",
"sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778",
"sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8",
"sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2",
"sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b",
"sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d",
"sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f",
"sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c",
"sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581",
"sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918",
"sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c",
"sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e",
"sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220",
"sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37",
"sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739",
"sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77",
"sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6",
"sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42",
"sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946",
"sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5",
"sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d",
"sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146",
"sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a",
"sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83",
"sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef",
"sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80",
"sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588",
"sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5",
"sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2",
"sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef",
"sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826",
"sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05",
"sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516",
"sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0",
"sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4",
"sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2",
"sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0",
"sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd",
"sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8",
"sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b",
"sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1",
"sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c"
],
"markers": "python_version >= '3.6'",
"version": "==1.6.3"
"markers": "python_version >= '3.7'",
"version": "==1.8.2"
}
}
}
README.md
+16 -11
View File
@@ -256,18 +256,21 @@ and included with `@filename` as parameter on the command line.
Example:
*misp.conf*:
```
```apacheconf
url https://host
key foobarfoobarfoobarfoobarfoobarfoobarfoo
```
Load Sigma rule into MISP event 1234:
```
```bash
sigma2misp @misp.conf --event 1234 sigma_rule.py
```
Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
```
```bash
sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
```
@@ -280,11 +283,12 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
Requirements:
- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
* Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
Usage samples:
```
```bash
# Use the default "rules" folder
./tools/sigma2attack
@@ -345,8 +349,9 @@ If you want to contribute, you are more then welcome. There are numerous ways to
If you use it, let us know what works and what does not work.
E.g.
- Tell us about false positives (issues section)
- Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule
* Tell us about false positives (issues section)
* Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule
## Work on open issues
@@ -358,15 +363,15 @@ Please don't provide backends for the old code base (sigmac) anymore. Please use
## Spread the word
Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it.
Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it.
# Licenses
The content of this repository is released under the following licenses:
* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain
* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
* The toolchain (everything under tools/) is licensed under the[GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
* The [Sigma Specification](https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
* The rules contained in the [SigmaHQ repository](https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
# Credits
rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml
+24
View File
@@ -0,0 +1,24 @@
title: MavInject Process Injection
id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
status: deprecated
description: Detects process injection using the signed Windows tool Mavinject32.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152
date: 2018/12/12
modified: 2021/11/27
tags:
- attack.t1055.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml → rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml
+2 -1
View File
@@ -1,11 +1,12 @@
title: Nslookup PwSh Download Cradle
id: 72671447-4352-4413-bb91-b85569687135
status: experimental
status: deprecated
description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
references:
- https://twitter.com/alh4zr3d/status/1566489367232651264
author: Zach Mathis (@yamatosecurity)
date: 2022/09/06
modified: 2022/12/14 # Deprecation date
tags:
- attack.command_and_control
- attack.t1105
rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
+6 -2
View File
@@ -1,7 +1,11 @@
title: Excel Proxy Executing Regsvr32 With Payload
id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
status: experimental
description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
+8 -4
View File
@@ -1,13 +1,17 @@
title: Excel Proxy Executing Regsvr32 With Payload
title: Excel Proxy Executing Regsvr32 With Payload Alternate
id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
status: experimental
description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
date: 2021/08/23
modified: 2022/07/07
modified: 2022/12/02
tags:
- attack.t1204.002
- attack.t1047
rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml → rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml
+14 -14
View File
@@ -1,6 +1,6 @@
title: Abusing Windows Telemetry For Persistence - Registry
id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
status: experimental
status: deprecated
description: |
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
@@ -23,19 +23,19 @@ detection:
EventType: SetValue
TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
Details|endswith:
- .sh
- .exe
- .dll
- .bin
- .bat
- .cmd
- .js
- .ps
- .vb
- .jar
- .hta
- .msi
- .vbs
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.ps'
- '.vb'
- '.jar'
- '.hta'
- '.msi'
- '.vbs'
condition: selection
fields:
- EventID
rules/windows/registry/registry_set/registry_set_silentprocessexit.yml → rules-deprecated/windows/registry_set_silentprocessexit.yml
+1 -1
View File
@@ -1,6 +1,6 @@
title: SilentProcessExit Monitor Registration
id: c81fe886-cac0-4913-a511-2822d72ff505
status: experimental
status: deprecated
description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml → rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: Accessing WinAPI in PowerShell for Credentials Dumping
id: 3f07b9d1-2082-4c56-9277-613a621983cc
status: experimental
status: deprecated
description: Detects Accessing to lsass.exe by Powershell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2022/07/14
modified: 2022/12/18
tags:
- attack.credential_access
- attack.t1003.001
rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml → rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml
+3 -3
View File
@@ -1,12 +1,12 @@
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon
id: e554f142-5cf3-4e55-ace9-a1b59e0def65
status: test
status: deprecated
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020/10/12
modified: 2022/11/26
modified: 2022/12/18
tags:
- attack.lateral_movement
- attack.t1021.002
@@ -23,7 +23,7 @@ detection:
EventID: 7
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection_one or selection_two
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml
+7 -7
View File
@@ -1,17 +1,20 @@
title: Account Created And Deleted By Non Approved Users
id: c98184ba-4a27-4e10-b7b7-da48e71f4d25
status: experimental
description: Detects when accounts are created and deleted by non-approved users.
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
description: Detects accounts that are created or deleted by non-approved users.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
tags:
- attack.defense_evasion
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
properties.message:
- Add user
- Delete user
Status: Sucess
@@ -20,7 +23,4 @@ detection:
condition: selection and not valid_admin
falsepositives:
- Legit administrative action
tags:
- attack.defense_evasion
- attack.t1078
level: medium
rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml
+6 -6
View File
@@ -1,11 +1,14 @@
title: Authentication Occuring Outside Normal Business Hours
id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
status: experimental
description: Detects when an a user signs in outside of normal business hours.
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
description: Detects user signs ins outside of normal business hours.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
tags:
- attack.persistence
- attack.t1078
logsource:
product: azure
service: signinlogs
@@ -19,7 +22,4 @@ detection:
condition: selection
falsepositives:
- User doing actual work outside of normal business hours.
tags:
- attack.persistence
- attack.t1078
level: low
rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
+8 -8
View File
@@ -1,16 +1,20 @@
title: Privilege Role Elevation Not Occuring on SAW or PAW
id: 38a5e67b-436a-4e77-9f73-f48a82626890
status: experimental
description: Detects when an account fails a sign-in when in from a PAW or SAW device
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
description: Detects failed sign-in from a PAW or SAW device
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You have to tune the rule for your environnement before use it
# You have to tune the rule for your environment before use it
selection:
properties.message|contains: Add memmber to role completed (PIM aciviation)
# Countries you DO operate out of e,g GB, use list for mulitple
@@ -25,8 +29,4 @@ detection:
condition: selection
falsepositives:
- Not using a PAW/SAW in the environment
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1078
level: high
rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
+7 -7
View File
@@ -1,16 +1,19 @@
title: Privilege Role Sign-In Outside Expected Controls
id: cf1e5687-84e1-41af-97a9-158094efef53
status: experimental
description: Detects when an account fails a sign-in when it doesn't meet expected controls for admins
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
description: Detects failed sign-in due to user not meeting expected controls for adminitrators
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
tags:
- attack.defense_evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You have to tune the rule for your environnement before use it
# You have to tune the rule for your environment before use it
selection:
Status: failure
# Countries you do NOT operate out of e,g GB, use list for mulitple
@@ -21,7 +24,4 @@ detection:
condition: selection
falsepositives:
- A legit admin not following proper processes
tags:
- attack.defense_evasion
- attack.t1078
level: high
rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml
+7 -7
View File
@@ -1,11 +1,14 @@
title: Privilege Role Sign-In Outside Of Normal Hours
id: e927a2f5-e7af-424f-ace7-70ebb49e8976
status: experimental
description: Detects when an account signs in from outside normal hours or locations. Admin accounts should be investigated
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
tags:
- attack.persistence
- attack.t1078
logsource:
product: azure
service: signinlogs
@@ -20,8 +23,5 @@ detection:
Initiatied.By: '%ApprovedUserUpn%'
condition: selection
falsepositives:
- An admin doing actual work outside of normal business hours.
tags:
- attack.persistence
- attack.t1078
- An admin doing actual work outside of normal business hours
level: high
rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml
+1 -1
View File
@@ -20,7 +20,7 @@ detection:
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml → rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+3 -3
View File
@@ -3,14 +3,14 @@ id: d585ab5a-6a69-49a8-96e8-4a726a54de46
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
status: unsupported
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2022/10/09
modified: 2022/12/22
tags:
- attack.privilege_escalation
- attack.t1134.001
@@ -51,4 +51,4 @@ fields:
- ImagePath
falsepositives:
- Highly unlikely
level: critical
level: critical
rules/application/antivirus/av_hacktool.yml
+1 -2
View File
@@ -19,8 +19,7 @@ detection:
- 'HKTL'
- 'SecurityTool'
- 'ATK/' # Sophos
- Signature|contains:
- 'Hacktool'
- Signature|contains: 'Hacktool'
condition: selection
fields:
- FileName
rules/application/antivirus/av_relevant_files.yml
+4 -4
View File
@@ -6,14 +6,14 @@ references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
author: Florian Roth, Arnim Rupp
date: 2018/09/09
modified: 2021/11/23
modified: 2022/12/18
tags:
- attack.resource_development
- attack.t1588
logsource:
category: antivirus
detection:
selection:
selection_path:
- Filename|startswith:
- 'C:\Windows\'
- 'C:\Temp\'
@@ -29,7 +29,7 @@ detection:
- 'tomcat'
- 'nginx'
- 'weblogic'
selection2:
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
@@ -69,7 +69,7 @@ detection:
- '.wsf'
- '.wsh'
- '.xml'
condition: selection or selection2
condition: 1 of selection_*
fields:
- Signature
- User
rules/cloud/aws/aws_delete_identity.yml
+22
View File
@@ -0,0 +1,22 @@
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: experimental
description: Detects an instance of an SES identity being deleted via the "delete-identity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.defense_evasion
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'delete-identity'
condition: selection
falsepositives:
- Unknown
level: medium
rules/cloud/aws/aws_enum_logging.yml
+32
View File
@@ -0,0 +1,32 @@
title: Potential Backup Enumeration on An AWS Instance
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Detects potential enumeration activity targeting an AWS instance backups
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.discovery
- attack.t1580
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'GetPasswordData'
- 'GetEbsEncryptionByDefault'
- 'GetEbsDefaultKmsKeyId'
- 'GetBucketReplication'
- 'DescribeVolumes'
- 'DescribeVolumesModifications'
- 'DescribeSnapshotAttribute'
- 'DescribeSnapshotTierStatus'
- 'DescribeImages'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: medium
rules/cloud/aws/aws_enum_network.yml
+29
View File
@@ -0,0 +1,29 @@
title: Potential Network Enumeration on An AWS Instance
id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
status: experimental
description: Detects network enumeration performed on an AWS instance.
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.discovery
- attack.t1016
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'DescribeCarrierGateways'
- 'DescribeVpcEndpointConnectionNotifications'
- 'DescribeTransitGatewayMulticastDomains'
- 'DescribeClientVpnRoutes'
- 'DescribeDhcpOptions'
- 'GetTransitGatewayRouteTableAssociations'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: low
rules/cloud/aws/aws_enum_storage.yml
+30
View File
@@ -0,0 +1,30 @@
title: Potential Storage Enumeration on An AWS Instance
id: 4723218f-2048-41f6-bcb0-417f2d784f61
status: experimental
description: Detects potential enumeration activity targeting AWS storage
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.discovery
- attack.t1619
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 's3.amazonaws.com'
eventName:
- 'ListBuckets'
- 'GetBucketCors'
- 'GetBucketInventoryConfiguration'
- 'GetBucketPublicAccessBlock'
- 'GetBucketMetricsConfiguration'
- 'GetBucketPolicy'
- 'GetBucketTagging'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: medium
rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml
+8 -11
View File
@@ -7,23 +7,20 @@ references:
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
author: Austin Songer @austinsonger
date: 2021/10/03
modified: 2021/10/13
modified: 2022/12/18
tags:
- attack.privilege_escalation
logsource:
product: aws
service: cloudtrail
detection:
selection1:
eventSource: glue.amazonaws.com
eventName: CreateDevEndpoint
selection2:
eventSource: glue.amazonaws.com
eventName: DeleteDevEndpoint
selection3:
eventSource: glue.amazonaws.com
eventName: UpdateDevEndpoint
condition: selection1 or selection2 or selection3
selection:
eventSource: 'glue.amazonaws.com'
eventName:
- 'CreateDevEndpoint'
- 'DeleteDevEndpoint'
- 'UpdateDevEndpoint'
condition: selection
falsepositives:
- Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.
rules/cloud/aws/aws_ses_messaging_enabled.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential Phshing Activity Via AWS Cloud Email Service Abuse
id: 60b84424-a724-4502-bd0d-cc676e1bc90e
status: experimental
description: Detects potential phshing activity when the email sending feature is enabled for an account and the email address verification request is dispatched in quick succession
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/12
tags:
- attack.t1583.006
- attack.resource_development
logsource:
product: aws
service: cloudtrail
detection:
selection1:
eventSource: 'ses.amazonaws.com'
eventName: 'UpdateAccountSendingEnabled'
selection2:
eventSource: 'ses.amazonaws.com'
eventName: 'VerifyEmailIdentity'
timeframe: 5m
condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events
falsepositives:
- Legitimate SES configuration activity
level: medium
rules/cloud/aws/aws_susp_saml_activity.yml
+8 -8
View File
@@ -7,7 +7,7 @@ references:
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021/09/22
modified: 2022/10/09
modified: 2022/12/18
tags:
- attack.initial_access
- attack.t1078
@@ -20,13 +20,13 @@ logsource:
product: aws
service: cloudtrail
detection:
selection1:
eventSource: sts.amazonaws.com
eventName: AssumeRoleWithSAML
selection2:
eventSource: iam.amazonaws.com
eventName: UpdateSAMLProvider
condition: selection1 or selection2
selection_sts:
eventSource: 'sts.amazonaws.com'
eventName: 'AssumeRoleWithSAML'
selection_iam:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateSAMLProvider'
condition: 1 of selection_*
falsepositives:
- Automated processes that uses Terraform may lead to false positives.
- SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rules/cloud/azure/azure_ad_azurehound_discovery.yml
+23
View File
@@ -0,0 +1,23 @@
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: experimental
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022/11/27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
rules/cloud/azure/azure_kubernetes_admission_controller.yml
+6 -9
View File
@@ -13,7 +13,7 @@ references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021/11/25
modified: 2022/08/23
modified: 2022/12/18
tags:
- attack.persistence
- attack.t1078
@@ -24,17 +24,14 @@ logsource:
product: azure
service: activitylogs
detection:
selection1:
operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
selection2:
operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection1 or selection2
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
rules/cloud/azure/azure_kubernetes_cronjob.yml
+6 -9
View File
@@ -12,7 +12,7 @@ references:
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021/11/22
modified: 2022/08/23
modified: 2022/12/18
tags:
- attack.persistence
- attack.privilege_escalation
@@ -21,17 +21,14 @@ logsource:
product: azure
service: activitylogs
detection:
selection1:
operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
selection2:
operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
condition: selection1 or selection2
condition: selection
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
rules/cloud/azure/azure_mfa_interrupted.yml
+4 -3
View File
@@ -6,6 +6,7 @@ references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
author: AlertIQ
date: 2021/10/10
modified: 2022/12/18
tags:
- attack.initial_access
- attack.t1078.004
@@ -13,13 +14,13 @@ logsource:
product: azure
service: signinlogs
detection:
selection:
selection_50074:
ResultType: 50074
ResultDescription|contains: 'Strong Auth required'
selection1:
selection_500121:
ResultType: 500121
ResultDescription|contains: 'Authentication failed during strong authentication request'
condition: selection or selection1
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
rules/cloud/azure/azure_unusual_authentication_interruption.yml
+5 -4
View File
@@ -6,6 +6,7 @@ references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
author: Austin Songer @austinsonger
date: 2021/11/26
modified: 2022/12/18
tags:
- attack.initial_access
- attack.t1078
@@ -13,16 +14,16 @@ logsource:
product: azure
service: signinlogs
detection:
selection1:
selection_50097:
ResultType: 50097
ResultDescription: 'Device authentication is required'
selection2:
selection_50155:
ResultType: 50155
ResultDescription: 'DeviceAuthenticationFailed'
selection3:
selection_50158:
ResultType: 50158
ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
condition: selection1 or selection2 or selection3
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
rules/cloud/gcp/gcp_kubernetes_admission_controller.yml
+7 -10
View File
@@ -12,7 +12,7 @@ references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021/11/25
modified: 2021/11/26
modified: 2022/12/18
tags:
- attack.persistence
- attack.t1078
@@ -23,19 +23,16 @@ logsource:
product: gcp
service: gcp.audit
detection:
selection1:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.'
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
selection2:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection1 or selection2
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
rules/linux/auditd/lnx_auditd_create_account.yml
+9 -5
View File
@@ -3,10 +3,12 @@ id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- 'MITRE Attack technique T1136; Create Account '
author: Marie Euler
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
- https://access.redhat.com/articles/4409591#audit-record-types-2
- https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020/05/18
modified: 2021/11/27
modified: 2022/12/20
tags:
- attack.t1136.001
- attack.persistence
@@ -14,10 +16,12 @@ logsource:
product: linux
service: auditd
detection:
selection:
selection_syscall_record_type:
type: 'SYSCALL'
exe|endswith: '/useradd'
condition: selection
selection_add_user_record_type:
type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
condition: 1 of selection_*
falsepositives:
- Admin activity
level: medium
rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
+13 -19
View File
@@ -9,7 +9,7 @@ references:
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
author: Bhabesh Raj
date: 2021/02/01
modified: 2022/10/09
modified: 2022/12/18
tags:
- attack.privilege_escalation
- attack.t1068
@@ -18,26 +18,20 @@ logsource:
product: linux
service: auditd
detection:
selection:
cmd_base:
type: 'EXECVE'
a0: '/usr/bin/sudoedit'
cmd1:
a1: '-s'
cmd2:
a2: '-s'
cmd3:
a3: '-s'
cmd4:
a4: '-s'
cmd5:
a1: '\'
cmd6:
a2: '\'
cmd7:
a3: '\'
cmd8:
a4: '\'
condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50
cmd_s:
- a1: '-s'
- a2: '-s'
- a3: '-s'
- a4: '-s'
cmd_backslash:
- a1: '\'
- a2: '\'
- a3: '\'
- a4: '\'
condition: all of cmd_* | count() by host > 50
falsepositives:
- Unknown
level: high
rules/linux/auditd/lnx_auditd_cve_2021_4034.yml
+7 -6
View File
@@ -1,13 +1,14 @@
title: CVE-2021-4034 Exploitation Attempt
title: Potential CVE-2021-4034 Exploitation Attempt
id: 40a016ab-4f48-4eee-adde-bbf612695c53
status: experimental
description: Detects exploitation attempt of vulnerability described in CVE-2021-4034.
description: Detects exploitation attempt of the vulnerability described in CVE-2021-4034.
references:
- https://github.com/berdav/CVE-2021-4034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
- https://access.redhat.com/security/cve/CVE-2021-4034
author: 'Pawel Mazur'
author: Pawel Mazur
date: 2022/01/27
modified: 2022/12/22
tags:
- attack.privilege_escalation
- attack.t1068
@@ -15,14 +16,14 @@ logsource:
product: linux
service: auditd
detection:
proctitle:
selection_proctitle:
type: PROCTITLE
proctitle: '(null)'
syscall:
selection_syscall:
type: SYSCALL
comm: pkexec
exe: '/usr/bin/pkexec'
condition: proctitle and syscall
condition: selection_proctitle |near selection_syscall
falsepositives:
- Unknown
level: high
rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
+4 -4
View File
@@ -10,7 +10,7 @@ references:
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021/05/24
modified: 2022/10/09
modified: 2022/12/18
tags:
- attack.credential_access
- attack.t1003
@@ -19,16 +19,16 @@ logsource:
product: linux
service: auditd
detection:
path_events:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
tty_events:
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: path_events or tty_events
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
rules/linux/auditd/lnx_auditd_network_sniffing.yml
+4 -4
View File
@@ -8,7 +8,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2022/11/26
modified: 2022/12/18
tags:
- attack.credential_access
- attack.discovery
@@ -17,17 +17,17 @@ logsource:
product: linux
service: auditd
detection:
selection1:
selection_1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection2:
selection_2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: selection1 or selection2
condition: 1 of selection_*
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
+5 -5
View File
@@ -10,7 +10,7 @@ references:
- https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020/10/08
modified: 2021/11/12
modified: 2022/12/18
tags:
- attack.discovery
- attack.t1201
@@ -18,26 +18,26 @@ logsource:
product: linux
service: auditd
detection:
files:
selection_files:
type: 'PATH'
name:
- '/etc/pam.d/common-password'
- '/etc/security/pwquality.conf'
- '/etc/pam.d/system-auth'
- '/etc/login.defs'
chage:
selection_chage:
type: 'EXECVE'
a0: 'chage'
a1:
- '--list'
- '-l'
passwd:
selection_passwd:
type: 'EXECVE'
a0: 'passwd'
a1:
- '-S'
- '--status'
condition: files or chage or passwd
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml
+3 -3
View File
@@ -8,7 +8,7 @@ references:
- https://linux.die.net/man/1/xwd
author: 'Pawel Mazur'
date: 2021/09/13
modified: 2022/10/09
modified: 2022/12/18
tags:
- attack.collection
- attack.t1113
@@ -16,7 +16,7 @@ logsource:
product: linux
service: auditd
detection:
xwd:
selection:
type: EXECVE
a0: xwd
xwd_root_window:
@@ -26,7 +26,7 @@ detection:
xwd_no_root_window:
a1: '-out'
a2|endswith: '.xwd'
condition: xwd and (xwd_root_window or xwd_no_root_window)
condition: selection and 1 of xwd_*
falsepositives:
- Legitimate use of screenshot utility
level: low
rules/linux/auditd/lnx_auditd_system_info_discovery.yml
+4 -4
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
author: 'Pawel Mazur'
date: 2021/09/03
modified: 2022/11/27
modified: 2022/12/18
tags:
- attack.discovery
- attack.t1082
@@ -15,18 +15,18 @@ logsource:
product: linux
service: auditd
detection:
selection:
selection_1:
type: PATH
name:
- /etc/lsb-release
- /etc/redhat-release
- /etc/issue
selection2:
selection_2:
type: EXECVE
a0:
- uname
- uptime
condition: selection or selection2
condition: 1 of selection_*
falsepositives:
- Legitimate administrative activity
level: low
rules/linux/builtin/lnx_privileged_user_creation.yml
+34
View File
@@ -0,0 +1,34 @@
title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: experimental
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
- https://digital.nhs.uk/cyber-alerts/2018/cc-2825
- https://linux.die.net/man/8/useradd
- https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022/12/21
tags:
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: linux
definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0' # root group
- 'UID=0' # root UID
- 'GID=10' # wheel group
- 'GID=27' # sudo group
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
rules/linux/process_creation/proc_creation_lnx_groupdel.yml
+24
View File
@@ -0,0 +1,24 @@
title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: experimental
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022/12/26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/groupdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
rules/linux/process_creation/proc_creation_lnx_userdel.yml
+24
View File
@@ -0,0 +1,24 @@
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: experimental
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022/12/26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml
+25
View File
@@ -0,0 +1,25 @@
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: experimental
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022/12/21
tags:
- attack.privilege_escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
rules/compliance/firewall_cleartext_protocols.yml → rules/network/firewall/net_firewall_cleartext_protocols.yml
View File
rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+2 -4
View File
@@ -13,7 +13,7 @@ references:
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021/08/17
modified: 2022/10/09
modified: 2022/11/28
tags:
- attack.t1557.001
- attack.t1187
@@ -22,9 +22,7 @@ logsource:
service: dce_rpc
detection:
selection:
operation|startswith:
- 'Efs'
- 'efs'
operation|startswith: 'efs'
condition: selection
fields:
- id.orig_h
rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+1 -3
View File
@@ -14,7 +14,7 @@ references:
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021/05/04
modified: 2022/10/05
modified: 2022/11/29
tags:
- attack.t1095
- attack.t1571
@@ -40,9 +40,7 @@ detection:
- '.azuregov-dns.org'
exclude_query_types:
qtype_name:
- 'NS'
- 'ns'
- 'MX'
- 'mx'
exclude_responses:
answers|endswith: '\\x00'
rules/proxy/proxy_exchange_owassrf_exploitation.yml
+33
View File
@@ -0,0 +1,33 @@
title: Potential OWASSRF Exploitation Attempt - Proxy
id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797
status: experimental
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
author: Nasreddine Bencherchali
date: 2022/12/22
tags:
- attack.initial_access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/'
- '/powershell'
c-uri|contains:
- '@'
- '%40'
filter:
c-useragent:
- 'ClientInfo'
- 'Microsoft WinRM Client'
- 'Exchange BackEnd Probes'
condition: selection and not filter
falsepositives:
- Web vulnerability scanners
level: high
rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml
+28
View File
@@ -0,0 +1,28 @@
title: OWASSRF Exploitation Attempt Using Public POC - Proxy
id: fdd7e904-7304-4616-a46a-e32f917c4be4
status: experimental
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali
date: 2022/12/22
tags:
- attack.initial_access
- attack.t1190
logsource:
category: proxy
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selection
falsepositives:
- Unlikely
level: critical
rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+4 -1
View File
@@ -1,7 +1,10 @@
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth, Tim Shelton
date: 2019/03/07
modified: 2022/08/16
rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
+33
View File
@@ -0,0 +1,33 @@
title: Potential CVE-2021-26084 Exploitation Attempt
id: 38825179-3c78-4fed-b222-2e2166b926b1
description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
status: experimental
references:
- https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
- https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
author: Sittikorn S, Nuttakorn T
date: 2022/12/13
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection_main:
cs-method: 'POST'
sc-status: '200'
username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
selection_exploit_1:
c-uri|contains|all:
- '/pages/createpage-entervariables.action'
- 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
selection_exploit_2_uri:
c-uri|contains: '/doenterpagevariables.action'
selection_exploit_2_keyword:
- 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)
falsepositives:
- Unknown
level: high
rules/web/web_cve_2021_27905_apache_solr_exploit.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: experimental
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
- https://twitter.com/Al1ex4/status/1382981479727128580
- https://twitter.com/sec715/status/1373472323538362371
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
- https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022/12/11
tags:
- attack.initial_access
- attack.t1190
- cve.2021.27905
logsource:
category: webserver
detection:
selection_request1:
c-uri|contains|all:
- '/solr/'
- '/debug/dump?'
- 'param=ContentStream'
sc-status: '200'
selection_request2:
cs-method: 'GET'
c-uri|contains|all:
- '/solr/'
- 'command=fetchindex'
- 'masterUrl='
sc-status: '200'
condition: 1 of selection_*
falsepositives:
- Vulnerability Scanners
level: medium
rules/web/web_exchange_owassrf_exploitation.yml
+33
View File
@@ -0,0 +1,33 @@
title: Potential OWASSRF Exploitation Attempt - Webserver
id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
status: experimental
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
author: Nasreddine Bencherchali
date: 2022/12/22
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/'
- '/powershell'
c-uri|contains:
- '@'
- '%40'
filter:
c-useragent:
- 'ClientInfo'
- 'Microsoft WinRM Client'
- 'Exchange BackEnd Probes'
condition: selection and not filter
falsepositives:
- Web vulnerability scanners
level: high
rules/web/web_exchange_owassrf_poc_exploitation.yml
+28
View File
@@ -0,0 +1,28 @@
title: OWASSRF Exploitation Attempt Using Public POC - Webserver
id: 92d78c63-5a5c-4c40-9b60-463810ffb082
status: experimental
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali
date: 2022/12/22
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selection
falsepositives:
- Unlikely
level: critical
rules/windows/builtin/application/win_msi_install_from_susp_locations.yml
+1 -1
View File
@@ -34,5 +34,5 @@ detection:
Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
condition: selection and not 1 of filter_*
falsepositives:
- Some false positives may occur depending on the environnement
- False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares
level: medium
rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential Credential Dumping Via WER - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali
date: 2022/12/07
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
+4 -1
View File
@@ -8,7 +8,7 @@ references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth
date: 2022/06/28
modified: 2022/08/09
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.persistence
@@ -35,6 +35,9 @@ detection:
- 'anonfiles.com'
- 'send.exploit.in'
- 'transfer.sh'
- 'privatlab.net'
- 'privatlab.com'
- 'sendspace.com'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+9 -6
View File
@@ -7,7 +7,7 @@ references:
- https://twitter.com/SBousseaden/status/1483810148602814466
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
date: 2022/01/20
modified: 2022/11/07
modified: 2022/12/12
tags:
- attack.execution
logsource:
@@ -71,10 +71,6 @@ detection:
FileNameBuffer|endswith:
- '\Program Files\Avast Software\Avast\aswAMSI.dll'
- '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
ProcessNameBuffer|endswith:
- '\Windows\System32\SIHClient.exe'
- '\Windows\System32\svchost.exe'
- '\Windows Defender\MpCmdRun.exe'
RequestedPolicy:
- 8
- 12
@@ -88,7 +84,14 @@ detection:
ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
RequestedPolicy: 8
ValidatedPolicy: 2
filter_google_drive:
# Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
FileNameBuffer|endswith: '\crashpad_handler.exe'
ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
RequestedPolicy: 8
ValidatedPolicy: 1
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
- Antivirus products
level: high
rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml → rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml
View File
rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml
+2 -2
View File
@@ -1,7 +1,7 @@
title: USB Device Plugged
id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
status: test
description: Detects plugged USB devices
description: Detects plugged/unplugged USB devices
references:
- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
@@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: driver-framework
definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog'
detection:
selection:
EventID:
rules/windows/builtin/ldap/win_ldap_recon.yml
+6 -3
View File
@@ -1,14 +1,15 @@
title: LDAP Reconnaissance / Active Directory Enumeration
title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects possible Active Directory enumeration via LDAP
description: Detects potential Active Directory enumeration via LDAP
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
- https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
author: Adeem Mawani
date: 2021/06/22
modified: 2022/10/09
modified: 2022/12/14
tags:
- attack.discovery
- attack.t1069.002
@@ -51,6 +52,8 @@ detection:
- '(primaryGroupID=515)'
- '(primaryGroupID=512)'
- 'Domain Admins'
- 'objectGUID=\*'
- '(schemaIDGUID=\*)'
suspicious_flag:
EventID: 30
SearchFilter|contains:
rules/windows/builtin/security/win_security_disable_event_logging.yml
+2 -2
View File
@@ -7,7 +7,7 @@ description: |
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
references:
- https://bit.ly/WinLogsZero2Hero
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron'
date: 2017/11/19
modified: 2021/11/27
@@ -23,7 +23,7 @@ detection:
EventID: 4719
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
- '%%8450' # This is "Failure removed"
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_etw_modification.yml → rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml
+16 -4
View File
@@ -1,5 +1,8 @@
title: COMPlus_ETWEnabled Registry Modification
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
@@ -12,22 +15,31 @@ references:
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
modified: 2022/10/05
modified: 2022/12/20
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
service: security
detection:
selection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
condition: selection
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
rules/compliance/group_modification_logging.yml → rules/windows/builtin/security/win_security_group_modification_logging.yml
View File
rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation STDIN+ Launcher
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/02/03
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation VAR+ Launcher
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/10/10
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/06
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Stdin
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2022/02/03
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use Clip
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/04/26
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use MSHTA
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/02/03
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use Rundll32
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/03/06
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/security/win_security_mal_creddumper.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Credential Dumping Tools Service Execution
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
@@ -9,7 +9,7 @@ references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
modified: 2022/10/09
modified: 2022/11/29
tags:
- attack.credential_access
- attack.execution
rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Meterpreter or Cobalt Strike Getsystem Service Installation
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
@@ -10,7 +10,7 @@ references:
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2022/10/09
modified: 2022/11/29
tags:
- attack.privilege_escalation
- attack.t1134.001
rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: PowerShell Scripts Installed as Services
title: PowerShell Scripts Installed as Services - Security
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
@@ -9,7 +9,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2022/10/09
modified: 2022/11/29
tags:
- attack.execution
- attack.t1569.002
rules/windows/builtin/security/win_security_service_install_remote_access_software.yml
+48
View File
@@ -0,0 +1,48 @@
title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
- id: 1a31b18a-f00c-4061-9900-f735b96c99fc
type: similar
status: experimental
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali
date: 2022/12/23
tags:
- attack.persistence
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
# Based on https://github.com/SigmaHQ/sigma/pull/2841
- 'SSUService'
- 'SplashtopRemoteService' # https://www.splashtop.com/
- 'Atera'
- 'LogMeIn' # https://www.logmein.com/
- 'LMIGuardianSvc' # https://www.logmein.com/
- 'TeamViewer'
- 'RPCService' # https://www.remotepc.com/
- 'RPCPerformanceService' # https://www.remotepc.com/
- 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
- 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
- 'GoToMyPC' # https://get.gotomypc.com/
- 'monblanking'
- 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
- 'GoToAssist' # https://www.goto.com/it-management/resolve
- 'AmmyyAdmin' # https://www.ammyy.com/en/
- 'vncserver'
- 'Parsec'
- 'chromoting'
- 'Zoho'
- 'jumpcloud'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml
+3 -2
View File
@@ -10,6 +10,7 @@ references:
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch
date: 2022/09/15
modified: 2022/12/04
tags:
- attack.privilege_escalation
- attack.t1543
@@ -21,8 +22,8 @@ detection:
selection:
EventID: 4697
selection_pid:
- ClientProcessId: '0'
- ParentProcessId: '0'
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection*
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: Code integrity failures may indicate tampered executables.
description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
author: Thomas Patzke
date: 2019/12/03
modified: 2020/08/23
rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious Outbound Kerberos Connection
title: Suspicious Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
status: test
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
@@ -6,7 +6,7 @@ references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2022/08/15
modified: 2022/11/29
tags:
- attack.lateral_movement
- attack.t1558.003
rules/windows/builtin/security/win_security_susp_rottenpotato.yml
+5 -3
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1195284233729777665
author: '@SBousseaden, Florian Roth'
date: 2019/11/15
modified: 2022/10/09
modified: 2022/12/22
tags:
- attack.privilege_escalation
- attack.credential_access
@@ -18,9 +18,11 @@ detection:
selection:
EventID: 4624
LogonType: 3
TargetUserName: 'ANONYMOUS_LOGON'
TargetUserName: 'ANONYMOUS LOGON'
WorkstationName: '-'
IpAddress: '127.0.0.1'
IpAddress:
- '127.0.0.1'
- '::1'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml
+61
View File
@@ -0,0 +1,61 @@
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: experimental
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/07
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
+46
View File
@@ -0,0 +1,46 @@
title: Important Scheduled Task Deleted/Disabled
id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
type: similar
status: experimental
description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/09
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID:
- 4699 # Task Deleted Event
- 4701 # Task Disabled Event
TaskName|contains:
# Add more important tasks
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard'
filter_ac_power_download:
Task|contains: '\Windows\UpdateOrchestrator\AC Power Download'
filter_sys_username:
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml
+60
View File
@@ -0,0 +1,60 @@
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
status: experimental
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali
date: 2022/12/05
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_tap_driver_installation.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Tap Driver Installation
title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
@@ -7,7 +7,7 @@ status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
modified: 2022/10/09
modified: 2022/11/29
tags:
- attack.exfiltration
- attack.t1048
rules/windows/builtin/security/win_security_user_driver_loaded.yml
+12 -9
View File
@@ -13,7 +13,7 @@ references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2021/11/30
modified: 2022/12/12
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -27,14 +27,17 @@ detection:
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter:
ProcessName|endswith:
- '\Windows\System32\Dism.exe'
- '\Windows\System32\rundll32.exe'
- '\Windows\System32\fltMC.exe'
- '\Windows\HelpPane.exe'
- '\Windows\System32\mmc.exe'
- '\Windows\System32\svchost.exe'
- '\Windows\System32\wimserv.exe'
- ProcessName:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\wimserv.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- 'C:\Windows\System32\SystemSettingsBroker.exe'
- ProcessName|endswith:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
rules/windows/builtin/security/win_security_wmi_persistence.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: WMI Persistence
title: WMI Persistence - Security
id: f033f3f3-fd24-4995-97d8-a3bb17550a88
related:
- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
@@ -10,7 +10,7 @@ references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017/08/22
modified: 2022/10/09
modified: 2022/11/29
tags:
- attack.persistence
- attack.privilege_escalation
rules/compliance/workstation_was_locked.yml → rules/windows/builtin/security/win_security_workstation_was_locked.yml
View File
rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation STDIN+ Launcher
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: experimental
description: Detects Obfuscated use of stdin to execute PowerShell
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation VAR+ Launcher
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: experimental
description: Detects Obfuscated use of Environment Variables to execute PowerShell
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: experimental
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/06
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: experimental
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/07
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Stdin
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: experimental
description: Detects Obfuscated Powershell via Stdin in Scripts
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use Clip
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: experimental
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/04/26
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use MSHTA
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: experimental
description: Detects Obfuscated Powershell via use MSHTA in Scripts
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/07/05
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation Via Use Rundll32
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: experimental
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2022/03/07
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027
rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: experimental
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2022/11/17
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1027

Some files were not shown because too many files have changed in this diff Show More