security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
BlueTeamOps
2022-12-13 22:22:05 +11:00
committed by GitHub
parent 1e3b4ad895 24d983a6a9
commit b5fe2c1a26
68 changed files with 1428 additions and 477 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Pipfile.lock
Generated
+608 -290
View File
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68"
"sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8"
},
"pipfile-spec": 6,
"requires": {
@@ -18,42 +18,43 @@
"default": {
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"deprecated": {
"hashes": [
"sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
"sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
"sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d",
"sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.2.12"
"version": "==1.2.13"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"jsonschema": {
"hashes": [
@@ -80,30 +81,31 @@
},
"pyrsistent": {
"hashes": [
"sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
"sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7",
"sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea",
"sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426",
"sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710",
"sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1",
"sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396",
"sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2",
"sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680",
"sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35",
"sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427",
"sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b",
"sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b",
"sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f",
"sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef",
"sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c",
"sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4",
"sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d",
"sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78",
"sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b",
"sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72"
"sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed",
"sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb",
"sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a",
"sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95",
"sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712",
"sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73",
"sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41",
"sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b",
"sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78",
"sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab",
"sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308",
"sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425",
"sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2",
"sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e",
"sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6",
"sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2",
"sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a",
"sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291",
"sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584",
"sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a",
"sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0",
"sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770"
],
"markers": "python_version >= '3.6'",
"version": "==0.18.0"
"markers": "python_version >= '3.7'",
"version": "==0.19.2"
},
"python-dateutil": {
"hashes": [
@@ -115,10 +117,11 @@
},
"python-utils": {
"hashes": [
"sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208",
"sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349"
"sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592",
"sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a"
],
"version": "==2.5.6"
"markers": "python_version >= '3.7'",
"version": "==3.4.5"
},
"pyyaml": {
"hashes": [
@@ -165,38 +168,59 @@
},
"ruamel.yaml": {
"hashes": [
"sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67",
"sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815"
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"index": "pypi",
"version": "==0.17.10"
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
"sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e",
"sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3",
"sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5",
"sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497",
"sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f",
"sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac",
"sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697",
"sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763",
"sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282",
"sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94",
"sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1",
"sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072",
"sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9",
"sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5",
"sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231",
"sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93",
"sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b",
"sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb",
"sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f",
"sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307",
"sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8",
"sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b",
"sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b",
"sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640",
"sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7",
"sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a",
"sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71",
"sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8",
"sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7",
"sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80",
"sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e",
"sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab",
"sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0",
"sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646"
],
"markers": "python_version < '3.10' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.7"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"six": {
"hashes": [
@@ -206,6 +230,14 @@
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"termcolor": {
"hashes": [
"sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b",
"sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd"
],
"index": "pypi",
"version": "==2.1.1"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -216,69 +248,191 @@
},
"wrapt": {
"hashes": [
"sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
"sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3",
"sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b",
"sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4",
"sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2",
"sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656",
"sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3",
"sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff",
"sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310",
"sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a",
"sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57",
"sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069",
"sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383",
"sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe",
"sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87",
"sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d",
"sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b",
"sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907",
"sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f",
"sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0",
"sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28",
"sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1",
"sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853",
"sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc",
"sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3",
"sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3",
"sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164",
"sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1",
"sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c",
"sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1",
"sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7",
"sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1",
"sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320",
"sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed",
"sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1",
"sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248",
"sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c",
"sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456",
"sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77",
"sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef",
"sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1",
"sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7",
"sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86",
"sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4",
"sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d",
"sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d",
"sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8",
"sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5",
"sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471",
"sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00",
"sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68",
"sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3",
"sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d",
"sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735",
"sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d",
"sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569",
"sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7",
"sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59",
"sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5",
"sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb",
"sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b",
"sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f",
"sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462",
"sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015",
"sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af"
],
"version": "==1.12.1"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.14.1"
}
},
"develop": {
"aiohttp": {
"hashes": [
"sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
"sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
"sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
"sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
"sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
"sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
"sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
"sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
"sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
"sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
"sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
"sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
"sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
"sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
"sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
"sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
"sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
"sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
"sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
"sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
"sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
"sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
"sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
"sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
"sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
"sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
"sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
"sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
"sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
"sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
"sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
"sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
"sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
"sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
"sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
"sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
"sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
"sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8",
"sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142",
"sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18",
"sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34",
"sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a",
"sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033",
"sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06",
"sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4",
"sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d",
"sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b",
"sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc",
"sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091",
"sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d",
"sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85",
"sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb",
"sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937",
"sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf",
"sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1",
"sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b",
"sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d",
"sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269",
"sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da",
"sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346",
"sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494",
"sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697",
"sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4",
"sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585",
"sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c",
"sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da",
"sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad",
"sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2",
"sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6",
"sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c",
"sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849",
"sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa",
"sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b",
"sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb",
"sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7",
"sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715",
"sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76",
"sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d",
"sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276",
"sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6",
"sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37",
"sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb",
"sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d",
"sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c",
"sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446",
"sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008",
"sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342",
"sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d",
"sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7",
"sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061",
"sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba",
"sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7",
"sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290",
"sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0",
"sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d",
"sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8",
"sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f",
"sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48",
"sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502",
"sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62",
"sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9",
"sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403",
"sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77",
"sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476",
"sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e",
"sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96",
"sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5",
"sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784",
"sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091",
"sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b",
"sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97",
"sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a",
"sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2",
"sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9",
"sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d",
"sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73",
"sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017",
"sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363",
"sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c",
"sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d",
"sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618",
"sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491",
"sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b",
"sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca"
],
"markers": "python_version >= '3.6'",
"version": "==3.7.4.post0"
"version": "==3.8.3"
},
"aiosignal": {
"hashes": [
"sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc",
"sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.1"
},
"antlr4-python3-runtime": {
"hashes": [
"sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
"sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b"
],
"markers": "python_version >= '3'",
"version": "==4.8"
"version": "==4.9.3"
},
"async-timeout": {
"hashes": [
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
"sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15",
"sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c"
],
"markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
"markers": "python_version >= '3.6'",
"version": "==4.0.2"
},
"attackcti": {
"hashes": [
@@ -290,34 +444,27 @@
},
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"colorama": {
"hashes": [
@@ -401,79 +548,197 @@
"index": "pypi",
"version": "==6.2.0"
},
"frozenlist": {
"hashes": [
"sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c",
"sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f",
"sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a",
"sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784",
"sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27",
"sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d",
"sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3",
"sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678",
"sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a",
"sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483",
"sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8",
"sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf",
"sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99",
"sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c",
"sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48",
"sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5",
"sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56",
"sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e",
"sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1",
"sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401",
"sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4",
"sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e",
"sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649",
"sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a",
"sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d",
"sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0",
"sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6",
"sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d",
"sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b",
"sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6",
"sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf",
"sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef",
"sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7",
"sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842",
"sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba",
"sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420",
"sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b",
"sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d",
"sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332",
"sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936",
"sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816",
"sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91",
"sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420",
"sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448",
"sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411",
"sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4",
"sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32",
"sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b",
"sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0",
"sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530",
"sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669",
"sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7",
"sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1",
"sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5",
"sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce",
"sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4",
"sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e",
"sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2",
"sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d",
"sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9",
"sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642",
"sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0",
"sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703",
"sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb",
"sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1",
"sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13",
"sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab",
"sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38",
"sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb",
"sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb",
"sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81",
"sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8",
"sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd",
"sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.3"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"more-itertools": {
"hashes": [
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
"sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41",
"sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab"
],
"markers": "python_version >= '3.5'",
"version": "==8.8.0"
"markers": "python_version >= '3.7'",
"version": "==9.0.0"
},
"multidict": {
"hashes": [
"sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a",
"sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93",
"sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632",
"sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656",
"sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79",
"sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7",
"sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d",
"sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5",
"sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224",
"sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26",
"sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea",
"sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348",
"sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6",
"sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76",
"sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1",
"sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f",
"sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952",
"sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a",
"sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37",
"sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9",
"sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359",
"sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8",
"sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da",
"sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3",
"sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d",
"sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf",
"sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841",
"sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d",
"sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93",
"sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f",
"sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647",
"sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635",
"sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456",
"sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda",
"sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5",
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
"sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce",
"sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce",
"sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57",
"sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335",
"sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38",
"sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2",
"sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a",
"sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418",
"sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d",
"sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c",
"sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30",
"sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852",
"sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718",
"sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614",
"sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b",
"sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e",
"sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4",
"sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c",
"sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3",
"sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d",
"sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45",
"sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89",
"sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f",
"sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827",
"sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6",
"sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51",
"sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69",
"sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba",
"sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91",
"sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131",
"sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37",
"sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd",
"sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46",
"sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0",
"sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd",
"sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d",
"sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee",
"sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531",
"sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d",
"sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7",
"sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c",
"sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a",
"sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08",
"sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e",
"sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759",
"sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986",
"sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a",
"sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d",
"sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64",
"sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116",
"sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7",
"sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d",
"sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9",
"sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea",
"sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303",
"sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102",
"sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38",
"sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef",
"sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a",
"sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438",
"sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3",
"sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9",
"sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f",
"sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0",
"sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022",
"sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2",
"sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67",
"sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11",
"sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734",
"sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945",
"sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb",
"sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000",
"sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253",
"sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544"
],
"markers": "python_version >= '3.6'",
"version": "==5.1.0"
"markers": "python_version >= '3.7'",
"version": "==6.0.3"
},
"packaging": {
"hashes": [
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
"sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3",
"sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3"
],
"markers": "python_version >= '3.6'",
"version": "==21.0"
"markers": "python_version >= '3.7'",
"version": "==22.0"
},
"pathspec": {
"hashes": [
"sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a",
"sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"
"sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5",
"sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0"
],
"version": "==0.9.0"
"markers": "python_version >= '3.7'",
"version": "==0.10.2"
},
"pluggy": {
"hashes": [
@@ -485,19 +750,11 @@
},
"py": {
"hashes": [
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
"sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719",
"sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.11.0"
},
"pytest": {
"hashes": [
@@ -509,10 +766,10 @@
},
"pytz": {
"hashes": [
"sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
"sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
"sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427",
"sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2"
],
"version": "==2021.1"
"version": "==2022.6"
},
"pyyaml": {
"hashes": [
@@ -557,49 +814,80 @@
"index": "pypi",
"version": "==2.26.0"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"simplejson": {
"hashes": [
"sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7",
"sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085",
"sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb",
"sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476",
"sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473",
"sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e",
"sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c",
"sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732",
"sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b",
"sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34",
"sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586",
"sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da",
"sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34",
"sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564",
"sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e",
"sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926",
"sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e",
"sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08",
"sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e",
"sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c",
"sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999",
"sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e",
"sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314",
"sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95",
"sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277",
"sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda",
"sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61",
"sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640",
"sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e",
"sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee",
"sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86",
"sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98",
"sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616",
"sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b",
"sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c",
"sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc",
"sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858",
"sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec"
"sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e",
"sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840",
"sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76",
"sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea",
"sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342",
"sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7",
"sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a",
"sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1",
"sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0",
"sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7",
"sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15",
"sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce",
"sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e",
"sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf",
"sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710",
"sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2",
"sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b",
"sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986",
"sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac",
"sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871",
"sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710",
"sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31",
"sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b",
"sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387",
"sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6",
"sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83",
"sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea",
"sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a",
"sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5",
"sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a",
"sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688",
"sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99",
"sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e",
"sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe",
"sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673",
"sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67",
"sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39",
"sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e",
"sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43",
"sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4",
"sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d",
"sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430",
"sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac",
"sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4",
"sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b",
"sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266",
"sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f",
"sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b",
"sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73",
"sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df",
"sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22",
"sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29",
"sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51",
"sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d",
"sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa",
"sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3",
"sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce",
"sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059",
"sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6",
"sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619",
"sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb"
],
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.3"
"version": "==3.18.0"
},
"six": {
"hashes": [
@@ -618,10 +906,11 @@
},
"stix2-patterns": {
"hashes": [
"sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
"sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
"sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08",
"sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458"
],
"version": "==1.3.2"
"markers": "python_version >= '3.6'",
"version": "==2.0.0"
},
"taxii2-client": {
"hashes": [
@@ -630,14 +919,6 @@
],
"version": "==2.3.0"
},
"typing-extensions": {
"hashes": [
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -662,46 +943,83 @@
},
"yarl": {
"hashes": [
"sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e",
"sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434",
"sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366",
"sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3",
"sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec",
"sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959",
"sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e",
"sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c",
"sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6",
"sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a",
"sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6",
"sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424",
"sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e",
"sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f",
"sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50",
"sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2",
"sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc",
"sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4",
"sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970",
"sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10",
"sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0",
"sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406",
"sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896",
"sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643",
"sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721",
"sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478",
"sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724",
"sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e",
"sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8",
"sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96",
"sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25",
"sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76",
"sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2",
"sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2",
"sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c",
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
"sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87",
"sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89",
"sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a",
"sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08",
"sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996",
"sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077",
"sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901",
"sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e",
"sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee",
"sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574",
"sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165",
"sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634",
"sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229",
"sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b",
"sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f",
"sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7",
"sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf",
"sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89",
"sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0",
"sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1",
"sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe",
"sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf",
"sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76",
"sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951",
"sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863",
"sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06",
"sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562",
"sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6",
"sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c",
"sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e",
"sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1",
"sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3",
"sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3",
"sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778",
"sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8",
"sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2",
"sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b",
"sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d",
"sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f",
"sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c",
"sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581",
"sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918",
"sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c",
"sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e",
"sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220",
"sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37",
"sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739",
"sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77",
"sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6",
"sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42",
"sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946",
"sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5",
"sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d",
"sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146",
"sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a",
"sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83",
"sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef",
"sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80",
"sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588",
"sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5",
"sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2",
"sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef",
"sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826",
"sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05",
"sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516",
"sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0",
"sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4",
"sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2",
"sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0",
"sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd",
"sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8",
"sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b",
"sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1",
"sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c"
],
"markers": "python_version >= '3.6'",
"version": "==1.6.3"
"markers": "python_version >= '3.7'",
"version": "==1.8.2"
}
}
}
rules/application/antivirus/av_hacktool.yml
+1 -2
View File
@@ -19,8 +19,7 @@ detection:
- 'HKTL'
- 'SecurityTool'
- 'ATK/' # Sophos
- Signature|contains:
- 'Hacktool'
- Signature|contains: 'Hacktool'
condition: selection
fields:
- FileName
rules/cloud/azure/azure_ad_azurehound_discovery.yml
+23
View File
@@ -0,0 +1,23 @@
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: experimental
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022/11/27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
rules/web/web_cve_2021_27905_apache_solr_exploit.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: experimental
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
- https://twitter.com/Al1ex4/status/1382981479727128580
- https://twitter.com/sec715/status/1373472323538362371
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
- https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022/12/11
tags:
- attack.initial_access
- attack.t1190
- cve.2021.27905
logsource:
category: webserver
detection:
selection_request1:
c-uri|contains|all:
- '/solr/'
- '/debug/dump?'
- 'param=ContentStream'
sc-status: '200'
selection_request2:
cs-method: 'GET'
c-uri|contains|all:
- '/solr/'
- 'command=fetchindex'
- 'masterUrl='
sc-status: '200'
condition: 1 of selection_*
falsepositives:
- Vulnerability Scanners
level: medium
rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential Credential Dumping Via WER - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali
date: 2022/12/07
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
rules/windows/builtin/security/win_security_etw_modification.yml → rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml
+16 -4
View File
@@ -1,5 +1,8 @@
title: COMPlus_ETWEnabled Registry Modification
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
@@ -12,22 +15,31 @@ references:
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
modified: 2022/10/05
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
service: security
detection:
selection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
condition: selection
selection_complus:
EventID: 4657
ObjectName|endswith: '\Environment\'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: Code integrity failures may indicate tampered executables.
description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
author: Thomas Patzke
date: 2019/12/03
modified: 2020/08/23
rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/07
tags:
- attack.execution
- attack.privilege_escalation
@@ -16,7 +17,7 @@ logsource:
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
+7 -2
View File
@@ -12,6 +12,7 @@ references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/09
tags:
- attack.execution
- attack.privilege_escalation
@@ -27,7 +28,7 @@ detection:
- 4699 # Task Deleted Event
- 4701 # Task Disabled Event
TaskName|contains:
# Add more important tasks>
# Add more important tasks
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
@@ -35,7 +36,11 @@ detection:
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard'
condition: selection
filter_ac_power_download:
Task|contains: '\Windows\UpdateOrchestrator\AC Power Download'
filter_sys_username:
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_user_driver_loaded.yml
+11 -9
View File
@@ -13,7 +13,7 @@ references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2021/11/30
modified: 2022/12/07
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -27,14 +27,16 @@ detection:
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter:
ProcessName|endswith:
- '\Windows\System32\Dism.exe'
- '\Windows\System32\rundll32.exe'
- '\Windows\System32\fltMC.exe'
- '\Windows\HelpPane.exe'
- '\Windows\System32\mmc.exe'
- '\Windows\System32\svchost.exe'
- '\Windows\System32\wimserv.exe'
- ProcessName:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\wimserv.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- ProcessName|endswith:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
rules/windows/builtin/system/win_system_service_install_hacktools.yml
+1 -2
View File
@@ -28,8 +28,7 @@ detection:
- 'pwdump'
- 'gsecdump'
- 'cachedump'
- ImagePath|contains:
- 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
- ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
condition: service and selection
falsepositives:
- Unknown
rules/windows/builtin/windefend/win_defender_amsi_trigger.yml
+3 -3
View File
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
author: Bhabesh Raj
date: 2020/09/14
modified: 2021/10/13
modified: 2022/12/07
tags:
- attack.execution
- attack.t1059
@@ -15,8 +15,8 @@ logsource:
service: windefend
detection:
selection:
EventID: 1116
Source_Name: 'AMSI'
EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
SourceName: 'AMSI'
condition: selection
falsepositives:
- Unlikely
rules/windows/builtin/windefend/win_defender_disabled.yml
+7 -7
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Ján Trenčanský, frack113
date: 2020/07/28
modified: 2022/05/06
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -17,11 +17,11 @@ logsource:
detection:
selection:
EventID:
- 5001
- 5010
- 5012
- 5101
- 5001 # Real-time protection is disabled.
- 5010 # Scanning for malware and other potentially unwanted software is disabled.
- 5012 # Scanning for viruses is disabled.
- 5101 # The antimalware platform is expired.
condition: selection
falsepositives:
- Administrator actions
level: low
- Administrator actions (should be investigated)
level: high
rules/windows/builtin/windefend/win_defender_exclusions.yml
+4 -4
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard
date: 2021/07/06
modified: 2022/02/02
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -14,10 +14,10 @@ logsource:
product: windows
service: windefend
detection:
selection1:
EventID: 5007
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection1
condition: selection
falsepositives:
- Administrator actions
level: medium
rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml
+7 -6
View File
@@ -6,16 +6,17 @@ references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali
date: 2022/08/05
modified: 2022/12/06
tags:
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
allowed_apps_key:
EventID: 5007
NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
allowed_apps_path:
NewValue|contains:
# Add more paths you don't allow in your org
@@ -25,9 +26,9 @@ detection:
- '\PerfLogs\'
- '\Windows\Temp\'
protected_folders:
EventID: 5007
EventID: 5007 # The antimalware platform configuration changed.
# This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
condition: all of allowed_apps* or protected_folders
falsepositives:
- Unlikely
rules/windows/builtin/windefend/win_defender_history_delete.yml
+3 -4
View File
@@ -4,23 +4,22 @@ status: test
description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
- https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
author: Cian Heasley
date: 2020/08/13
modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 1013
EventType: 4
EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software.
condition: selection
fields:
- EventID
- EventType
falsepositives:
- Deletion of Defender malware detections history for legitimate reasons
level: high
level: low
rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml
+21
View File
@@ -0,0 +1,21 @@
title: Win Defender Restored Quarantine File
id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b
status: experimental
description: Detects the restoration of files from the defender quarantine
references:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Nasreddine Bencherchali
date: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 1009 # The antimalware platform restored an item from quarantine.
condition: selection
falsepositives:
- Legitimate administrator activity restoring a file
level: high
rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml
+38
View File
@@ -0,0 +1,38 @@
title: Windows Defender Suspicious Configuration Changes
id: 801bd44f-ceed-4eb6-887c-11544633c0aa
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
status: stable
description: Detects suspicious changes to the windows defender configuration
references:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali
date: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains:
# TODO: Add more suspicious values
- '\Windows Defender\DisableAntiSpyware '
#- '\Windows Defender\Features\TamperProtection ' # Might produce FP
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '
- '\Real-Time Protection\SubmitSamplesConsent '
# Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
# Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: high
rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
+14 -6
View File
@@ -1,11 +1,13 @@
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
author: Bhabesh Raj
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021/07/05
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -14,11 +16,17 @@ logsource:
service: windefend
detection:
selection:
EventID: 5013
EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
Value|endswith:
- '\Windows Defender\DisableAntiSpyware = 0x1()'
- '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
- '\Windows Defender\DisableAntiSpyware'
- '\Windows Defender\DisableAntiVirus'
- '\Windows Defender\Scan\DisableArchiveScanning'
- '\Windows Defender\Scan\DisableScanningNetworkFiles'
- '\Real-Time Protection\DisableRealtimeMonitoring'
- '\Real-Time Protection\DisableBehaviorMonitoring'
- '\Real-Time Protection\DisableIOAVProtection'
- '\Real-Time Protection\DisableScriptScanning'
condition: selection
falsepositives:
- Administrator actions
- Administrator might try to disable defender features during testing (must be investigated)
level: high
rules/windows/builtin/windefend/win_defender_threat.yml
+4 -4
View File
@@ -15,10 +15,10 @@ logsource:
detection:
selection:
EventID:
- 1006
- 1116
- 1015
- 1117
- 1006 # The antimalware engine found malware or other potentially unwanted software.
- 1116 # The antimalware platform detected malware or other potentially unwanted software.
- 1015 # The antimalware platform detected suspicious behavior.
- 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
condition: selection
falsepositives:
- Unlikely
rules/windows/file/file_event/file_event_lsass_shtinkering.yml
+24
View File
@@ -0,0 +1,24 @@
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: experimental
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
+8
View File
@@ -1,12 +1,19 @@
title: Creation Of Non-Existent DLLs In System Folders
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
type: similar
status: experimental
description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
author: Nasreddine Bencherchali
date: 2022/12/01
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
@@ -22,6 +29,7 @@ detection:
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
filter:
Image|startswith: 'C:\Windows\System32\'
condition: selection and not filter
rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml
+1 -2
View File
@@ -26,8 +26,7 @@ detection:
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename:
- 'C:\windows\temp\sam' # C# version of HiveNightmare
- TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
fields:
- CommandLine
rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml → rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml
View File
rules/windows/file/file_event/file_event_win_susp_dropper.yml
+7 -1
View File
@@ -6,7 +6,7 @@ references:
- Malware Sandbox
author: frack113
date: 2022/03/09
modified: 2022/11/08
modified: 2022/12/07
tags:
- attack.resource_development
- attack.t1587.001
@@ -76,9 +76,15 @@ detection:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
Image|endswith: '\mscorsvw.exe'
TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_'
filter_vscode:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\'
Image|endswith: '\Microsoft VS Code\Code.exe'
TargetFilename|contains: '\.vscode\extensions\'
condition: selection and not 1 of filter_*
falsepositives:
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
#Please contribute to FP to increase the level
level: low
rules/windows/image_load/image_load_abusing_azure_browser_sso.yml
+1 -2
View File
@@ -30,8 +30,7 @@ detection:
- '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
- '\msedgewebview2.exe'
- '\OneDrive.exe'
- Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image: null
condition: selection_dll and not filter_legit
falsepositives:
rules/windows/image_load/image_load_foggyweb_nobelium.yml
+3 -3
View File
@@ -1,12 +1,12 @@
title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL image load activity as used by FoggyWeb backdoor loader
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth
date: 2021/09/27
modified: 2022/10/09
modified: 2022/12/09
tags:
- attack.resource_development
- attack.t1587
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
Image: C:\Windows\ADFS\version.dll
ImageLoaded: 'C:\Windows\ADFS\version.dll'
condition: selection
falsepositives:
- Unlikely
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+8 -1
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)
date: 2022/08/14
modified: 2022/10/25
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
@@ -433,6 +433,13 @@ detection:
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdusc64.dll'
# Other
- '\WLBSCTRL.dll'
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
- '\wbemcomn.dll'
filter_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
+43
View File
@@ -0,0 +1,43 @@
title: Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
- id: df6ecb8b-7822-4f4b-b412-08f524b4576c
type: similar
status: experimental
description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
author: Nasreddine Bencherchali
date: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
# Add other DLLs
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
- 'C:\Windows\System32\WptsExtensions.dll'
- 'C:\Windows\System32\wbem\wbemcomn.dll'
filter_ms_signed:
Signed: 'true'
# There could be other signatures (please add when found)
Signature: 'Microsoft Windows'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
+2 -2
View File
@@ -11,7 +11,7 @@ references:
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019/10/27
modified: 2022/09/15
modified: 2022/12/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -50,7 +50,7 @@ detection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'FALSE'
Signed: 'false'
filter1:
- Image|contains: 'Visual Studio'
- CommandLine|contains:
rules/windows/image_load/image_load_susp_python_image_load.yml
+1 -2
View File
@@ -18,8 +18,7 @@ detection:
selection:
Description: 'Python Core'
filter_generic:
- Image|contains:
- 'Python' # FPs with python38.dll, python.exe etc.
- Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
+2 -4
View File
@@ -22,10 +22,8 @@ detection:
Initiated: 'true'
SourcePort: 3389
selection2:
- DestinationIp|startswith:
- '127.'
- DestinationIp:
- '::1'
- DestinationIp|startswith: '127.'
- DestinationIp: '::1'
condition: selection and selection2
falsepositives:
- Unknown
rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
+1 -2
View File
@@ -43,8 +43,7 @@ detection:
- '51.103.' # Microsoft range, caused some FPs
- '51.104.' # Microsoft range, caused some FPs
- '51.105.' # Microsoft range, caused some FPs
- CommandLine|contains:
- 'PcaSvc.dll,PcaPatchSdbTask'
- CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask'
filter_update_processes:
ParentImage: 'C:\Windows\System32\svchost.exe'
RemoteAddress|endswith: ':443'
rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
+2 -4
View File
@@ -27,10 +27,8 @@ detection:
- '\Windows\Fonts\'
- '\Windows\IME\'
- '\Windows\addins\'
- Image|endswith:
- '\$Recycle.bin'
- Image|startswith:
- 'C:\Perflogs\'
- Image|endswith: '\$Recycle.bin'
- Image|startswith: 'C:\Perflogs\'
false_positive1:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
condition: selection and not 1 of false_positive*
rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml
+30
View File
@@ -0,0 +1,30 @@
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: experimental
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis
date: 2022/12/10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
definition: fields have to be extract from event
detection:
selection:
HostApplication|contains|all:
- 'powershell'
- 'nslookup'
HostApplication|contains:
- '-q=txt'
- '-querytype=txt'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+1 -2
View File
@@ -25,8 +25,7 @@ detection:
- 'bypass'
- 'RemoteSigned'
filter:
- ParentImage:
- 'C:\ProgramData\chocolatey\choco.exe'
- ParentImage: 'C:\ProgramData\chocolatey\choco.exe'
- ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
id: e9b61244-893f-427c-b287-3e708f321c6b
status: experimental
description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
- https://ss64.com/nt/mklink.html
author: frack113
date: 2022/12/11
tags:
- attack.credential_access
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.exe'
selection_cli:
CommandLine|contains|all:
- 'mklink'
- '\osk.exe'
- '\cmd.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_lsass_shtinkering.yml
+41
View File
@@ -0,0 +1,41 @@
title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: experimental
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022/12/08
modified: 2022/12/09
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\Werfault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
ParentUser|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|contains:
- 'AUTHORI'
- 'AUTORI'
CommandLine|contains|all:
# Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
# Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
# If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
# Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
- ' -u -p '
- ' -ip '
- ' -s '
filter_lsass:
ParentImage: 'C:\Windows\System32\lsass.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high
rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml
+40
View File
@@ -0,0 +1,40 @@
title: Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: experimental
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022/12/11
tags:
- attack.defense_evasion
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml
+1 -2
View File
@@ -20,8 +20,7 @@ detection:
- 'localgroup'
- 'admin'
- '/add'
- CommandLine|contains:
- '\Win64.exe'
- CommandLine|contains: '\Win64.exe'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_chisel_usage.yml
+5 -3
View File
@@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu
references:
- https://github.com/jpillora/chisel/
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth
date: 2022/09/13
modified: 2022/12/07
tags:
- attack.command_and_control
- attack.t1090.001
@@ -25,11 +27,11 @@ detection:
- 'exe server '
selection_param2:
CommandLine|contains:
- ' --socks5'
- ' --reverse'
- '-socks5'
- '-reverse'
- ' r:'
- ':127.0.0.1:'
- ' --tls-skip-verify '
- '-tls-skip-verify '
- ':socks'
condition: selection_img or all of selection_param*
falsepositives:
rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml
+7 -4
View File
@@ -1,7 +1,7 @@
title: COMPlus_ETWEnabled Command Line Arguments
title: ETW Logging Tamper In .NET Processes
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
@@ -12,9 +12,10 @@ references:
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2021/11/27
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1562
@@ -23,7 +24,9 @@ logsource:
product: windows
detection:
selection:
CommandLine|contains: 'COMPlus_ETWEnabled=0'
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: False Sysinternals Suite Tools
title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: experimental
description: Rename as a legitimate Sysinternals Suite tool to evade detection
description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113
date: 2021/12/20
modified: 2022/12/08
tags:
- attack.execution
- attack.defense_evasion
rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
author: Ecco, oscd.community, Jonhnathan Ribeiro
date: 2019/09/03
modified: 2021/11/27
modified: 2022/12/08
tags:
- attack.execution
- attack.t1047
@@ -46,7 +46,7 @@ detection:
- 'cmd.exe'
- '/Q'
- '/c'
- '\\\\127.0.0.1\'
- '\\\\127.0.0.1\\'
- '&1'
selection_atexec:
ParentCommandLine|contains:
rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
+26
View File
@@ -0,0 +1,26 @@
title: Use of Setres.exe
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: experimental
description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022/12/11
tags:
- attack.defense_evasion
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|endswith: '\choice'
condition: all of selection*
falsepositives:
- Legitimate usage of Setres
level: medium
rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml
+1 -2
View File
@@ -27,8 +27,7 @@ detection:
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains:
- '\BITSADMIN'
- Image|contains: '\BITSADMIN'
condition: all of selection*
fields:
- CommandLine
rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml
+1 -2
View File
@@ -30,8 +30,7 @@ detection:
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains:
- '\BITSADMIN'
- Image|contains: '\BITSADMIN'
condition: all of selection*
fields:
- CommandLine
rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml
+8 -2
View File
@@ -10,7 +10,7 @@ references:
- https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022/01/16
modified: 2022/10/23
modified: 2022/12/08
tags:
- attack.defense_evasion
- attack.t1218.007
@@ -30,7 +30,13 @@ detection:
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
- '\MsiExec.exe" /Y "C:\Windows\CCM\'
- '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution
- '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution
- '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
- '\MsiExec.exe" -Y "C:\Windows\CCM\'
- '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate script
rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml
+17 -8
View File
@@ -1,13 +1,14 @@
title: Exchange PowerShell Snap-Ins Used by HAFNIUM
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: experimental
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: FPT.EagleEye
- https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali
date: 2021/03/03
modified: 2022/07/14
modified: 2022/12/09
tags:
- attack.execution
- attack.t1059.001
@@ -17,12 +18,20 @@ logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin'
condition: selection
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'Add-PSSnapin'
selection_module:
CommandLine|contains:
- 'Microsoft.Exchange.Powershell.Snapin'
- 'Microsoft.Exchange.Management.PowerShell.SnapIn'
condition: all of selection_*
fields:
- CommandLine
- ParentCommandLine
rules/windows/process_creation/proc_creation_win_renamed_procdump.yml
+3 -3
View File
@@ -1,4 +1,4 @@
title: Renamed ProcDump
title: Renamed ProcDump Execution
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
related:
- id: 03795938-1387-481b-9f4c-3f6241e604fe
@@ -9,7 +9,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth
date: 2019/11/18
modified: 2022/08/12
modified: 2022/12/08
tags:
- attack.defense_evasion
- attack.t1036.003
@@ -34,5 +34,5 @@ detection:
condition: (selection_org or all of selection_args_*) and not filter
falsepositives:
- Procdump illegaly bundled with legitimate software
- Weird admins who renamed binaries (and should be investigated)
- Administrators who rename binaries (should be investigated)
level: high
rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml
+6 -17
View File
@@ -18,22 +18,11 @@ logsource:
category: process_creation
product: windows
detection:
selection_1_img:
Image|endswith: '\SharpChisel.exe'
selection_1_pe:
Product: 'SharpChisel'
# Covered by Chisel Rule
# selection_2_client_server:
# CommandLine|contains:
# - 'exe client '
# - 'exe server '
# selection_2_flags:
# CommandLine|contains:
# - ' --socks5'
# - ' --reverse'
# - ' r:'
# - ':127.0.0.1:'
condition: 1 of selection*
selection:
- Image|endswith: '\SharpChisel.exe'
- Product: 'SharpChisel'
# See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
condition: selection
falsepositives:
- Some false positives may occure with other tools with similar commandlines
- Unlikely
level: high
rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+9 -3
View File
@@ -6,6 +6,7 @@ references:
- https://github.com/Wh04m1001/SysmonEoP
author: frack113
date: 2022/12/05
modified: 2022/12/07
tags:
- attack.privilege_escalation
- attack.defense_evasion
@@ -16,11 +17,11 @@ logsource:
category: process_creation
detection:
selection_shell:
- Image|endswith:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
@@ -29,7 +30,12 @@ detection:
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
condition: all of selection_*
filter_compattelrunner:
ParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun'
OriginalFileName: 'PowerShell.EXE'
CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_susp_conhost.yml
+7 -4
View File
@@ -6,7 +6,7 @@ references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020/10/25
modified: 2022/12/06
modified: 2022/12/07
tags:
- attack.defense_evasion
- attack.t1202
@@ -42,7 +42,9 @@ detection:
# Example FP:
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
Provider_Name: 'Microsoft-Windows-Kernel-Process'
ParentCommandLine|contains: ' cat-file -s '
ParentCommandLine|contains:
- ' cat-file -s '
- 'show --textconv'
Image: 'C:\Windows\System32\conhost.exe'
filter_image_conhost2:
ParentCommandLine:
@@ -51,9 +53,10 @@ detection:
- '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'
Image: 'C:\Windows\System32\conhost.exe'
filter_image_git:
ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1'
ParentCommandLine:
- \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'
- \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4'
Image: 'C:\Program Files\Git\mingw64\bin\git.exe'
CommandLine|contains: 'show --textconv :'
condition: selection and not 1 of filter_*
fields:
- Image
rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml
+6 -4
View File
@@ -1,12 +1,13 @@
title: Suspicious Conhost Legacy Option
title: Suspicious High IntegrityLevel Conhost Legacy Option
id: 3037d961-21e9-4732-b27a-637bcc7bf539
status: experimental
description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application
description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
references:
- https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022/04/04
date: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1202
@@ -15,11 +16,12 @@ logsource:
category: process_creation
detection:
selection:
IntegrityLevel: 'High'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
- '-ForceV1'
condition: selection
falsepositives:
- Unknown
- Very Likely, including launching cmd.exe via Run As Administrator
level: informational
rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml
+7 -8
View File
@@ -10,7 +10,7 @@ references:
- https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020/10/10
modified: 2022/02/25
modified: 2022/12/09
tags:
- attack.execution
- attack.t1059.001
@@ -20,15 +20,14 @@ logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith: '\sqlps.exe'
selection_2:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_3:
OriginalFileName: '\sqlps.exe'
filter:
selection_image:
- Image|endswith: '\sqlps.exe'
- OriginalFileName: 'sqlps.exe'
filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition: 1 of selection_* and not filter
condition: selection_parent or (selection_image and not filter_image)
falsepositives:
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium
rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
modified: 2022/10/09
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1055
@@ -20,7 +20,7 @@ detection:
CommandLine|contains: '\netlogon\'
filter2:
- Image|endswith: '\explorer.exe'
- ImageFileName: 'explorer.exe'
- OriginalFileName: 'explorer.exe'
condition: selection and not 1 of filter*
fields:
- CommandLine
rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml
+25
View File
@@ -0,0 +1,25 @@
title: WMIC Tamper Windows Defender
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: experimental
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
author: frack113
date: 2022/12/11
tags:
- attack.credential_access
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml
+22 -10
View File
@@ -6,11 +6,12 @@ related:
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: experimental
description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools
description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools
references:
- Internal Research
author: Nasreddine Bencherchali
date: 2022/08/24
modified: 2022/12/07
tags:
- attack.resource_development
- attack.t1588.002
@@ -21,33 +22,44 @@ detection:
selection:
EventType: CreateKey
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
- '\PsPing'
- '\PsService'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
condition: selection and not filter
falsepositives:
- Unlikely
rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml
+1 -2
View File
@@ -19,8 +19,7 @@ detection:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- TargetObject|startswith:
- 'HKLM\SYSTEM\Setup\PrintResponsor\'
- TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\'
condition: selection
falsepositives:
- Unknown
rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential Ransomware Activity Using LegalNotice Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: experimental
description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022/12/11
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
Details|contains:
- 'encrypted'
- 'Unlock-Password'
- 'paying'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml
+3 -2
View File
@@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Nasreddine Bencherchali
date: 2022/08/01
modified: 2022/09/18
modified: 2022/12/09
tags:
- attack.defense_evasion
logsource:
@@ -22,7 +23,7 @@ detection:
- '\EventLog-'
- '\Defender'
TargetObject|endswith:
- '\Enabled'
- '\Enable'
- '\Start'
Details: DWORD (0x00000000)
filter_legitimate:
rules/windows/registry/registry_set/registry_set_etw_disabled.yml → rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml
+18 -4
View File
@@ -1,5 +1,8 @@
title: COMPlus_ETWEnabled Registry Modification - Registry
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
@@ -12,21 +15,32 @@ references:
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
modified: 2022/11/26
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
category: registry_set
detection:
selection:
selection_etw_enabled:
EventType: SetValue
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
condition: selection
selection_complus:
EventType: SetValue
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml
+27
View File
@@ -0,0 +1,27 @@
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: experimental
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml
+27
View File
@@ -0,0 +1,27 @@
title: ETW Logging Disabled For rpcrt4.dll
id: 90f342e1-1aaa-4e43-b092-39fda57ed11e
status: experimental
description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali
date: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation'
Details:
# This is disabled by default for some reason
- 'DWORD (0x00000000)' # Off
- 'DWORD (0x00000002)' # Off with exceptions
condition: selection
falsepositives:
- Unknown
level: low
rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml
+24
View File
@@ -0,0 +1,24 @@
title: ETW Logging Disabled For SCM
id: 4f281b83-0200-4b34-bf35-d24687ea57c2
status: experimental
description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali
date: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
condition: selection
falsepositives:
- Unknown
level: low
rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
+1 -2
View File
@@ -25,8 +25,7 @@ detection:
- 'C:\Temp\'
- 'C:\Users\Public\'
- 'C:\Users\Default\'
- Details|contains:
- '\AppData\'
- Details|contains: '\AppData\'
condition: selection and selection2
fields:
- Image
rules/windows/registry/registry_set/registry_set_susp_service_installed.yml
+5 -2
View File
@@ -5,10 +5,10 @@ description: |
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2022/11/22
modified: 2022/12/07
tags:
- attack.t1562.001
- attack.defense_evasion
@@ -23,10 +23,13 @@ detection:
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
filter:
Image|endswith:
# Please add the full paths that you use in your environment to tighten the rule
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
- '\handle.exe'
- '\handle64.exe'
Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection and not filter
falsepositives:
tests/test_rules.py
+60 -17
View File
@@ -838,32 +838,59 @@ class TestRules(unittest.TestCase):
"There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source")
def test_selection_list_one_value(self):
def treat_list(file, values, valid_, selection_name):
# rule with only list of Keywords term
if len(values) == 1 and not isinstance(values[0], str):
print(
Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)
)
valid_ = False
elif isinstance(values[0], dict):
valid_ = treat_dict(file, values, valid_, selection_name)
return valid_
def treat_dict(file, values, valid_, selection_name):
if isinstance(values, list):
for dict_ in values:
for key_ in dict_.keys():
if isinstance(dict_[key_], list):
if len(dict_[key_]) == 1:
print(
Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_)
)
valid_ = False
else:
dict_ = values
for key_ in dict_.keys():
if isinstance(dict_[key_], list):
if len(dict_[key_]) == 1:
print(
Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_)
)
valid_ = False
return valid_
faulty_rules = []
for file in self.yield_next_rule_file_path(self.path_to_rules):
detection = self.get_rule_part(
file_path=file, part_name="detection")
if detection:
valid = True
for key in detection:
values = detection[key]
if isinstance(detection[key], list):
# rule with only list of Keywords term
if len(detection[key]) == 1 and not isinstance(detection[key][0], str):
print(
Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key))
valid = False
valid = treat_list(file, values, valid, key)
if isinstance(detection[key], dict):
for sub_key in detection[key]:
# split in 2 if as get a error "int has not len()"
if isinstance(detection[key][sub_key], list):
if len(detection[key][sub_key]) == 1:
print(
Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key))
valid = False
valid = treat_dict(file, values, valid, key)
if not valid:
faulty_rules.append(file)
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules using list with only 1 element")
"There are rules using list with only 1 element")
def test_unused_selection(self):
faulty_rules = []
@@ -882,8 +909,12 @@ class TestRules(unittest.TestCase):
continue
if selection == "timeframe":
continue
if selection in condition:
# remove special keywords
condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ")
if selection in condition_list:
continue
# find all wildcards in condition
found = False
for wildcard_selection in wildcard_selections.findall(condition):
@@ -904,15 +935,27 @@ class TestRules(unittest.TestCase):
# add "OriginalFilename" after Aurora switched to SourceFilename
# add "ProviderName" after special case powershell classic is resolved
# typos is a list of tuples where each tuple contains ("The typo", "The correct version")
typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")]
typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")]
faulty_rules = []
for file in self.yield_next_rule_file_path(self.path_to_rules):
# Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases
# We check first the logsource to handle special cases
logsource = self.get_rule_part(file_path=file, part_name="logsource").values()
# add more typos in specific logsources below
if "windefend" in logsource:
typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')]
elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource:
typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")]
elif "process_creation" in logsource:
typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")]
else:
typos_ = typos
detection = self.get_rule_part(file_path=file, part_name="detection")
if detection:
for search_identifier in detection:
if isinstance(detection[search_identifier], dict):
for field in detection[search_identifier]:
for typo in typos:
for typo in typos_:
if typo[0] in field:
print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field))
faulty_rules.append(file)